Please sign ISOs

I hesitate to use unsigned ISO. Not signing it gives a feeling that nixos team trying not to take responsibility for the released ISOs

What kind of signing are you talking about?

As far as I remember there is a sha256 files for each ISO.

If your are talking about secure boot though, that is currently not supported by nixos at all.

also, if you already have any system with the nix package manager installed (e.g nix can be installed using apt on debian), you can build your own iso: Creating a NixOS live CD - NixOS Wiki

2 Likes

That’s an improvement that would be welcome. But ISO are automatically generated with the last channel, and I wouldn’t trust much automatic signing. That would be different if NixOS was providing a single ISO at the release date, a human could easily handle signing the files once every 6 months.

The checksum is already good enough, especially you can rebuild it locally if you have nix to challenge the ISO provider and see if they provide the same version you can build locally.

2 Likes

FWIW, the ISO builds are on Hydra, which means they’re signed by the key for cache.nixos.org. You can download that ISO from Hydra, though I’m not sure how to download the signature from there (you can make Nix substitute the path from the cache, and that will cause it to download the signature into the Nix DB; I just don’t know how to download it manually)

2 Likes

The output path of the ISO should also be signed by the cache. I guess you could verify that.

Though, as @Solene mentioned, it isn’t really worth much and building it yourself is better anyways if you’re that paranoid.

If you can find the hash of the iso, you should be able to use this

https://son22.connorbrewster.repl.co/#11 this is a script to populate a nix store from prebuilt binaries

1 Like

I use an old device that is safer against hardware spyware (and I can’t afford new system). The building takes lots of time but is probably a safe method