summary refs log tree commit diff
path: root/doc
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2013-12-30 22:46:21 +0100
committerLudovic Courtès <ludo@gnu.org>2013-12-30 22:57:37 +0100
commit554f26ece3c6e3fb04d8069e6be1095e622a97c5 (patch)
tree4a64678b2f1c34c72a53e84264ca56a09b34c72c /doc
parentdedb5d947ee2890524a5c6fb1343b3299e7731c3 (diff)
downloadguix-554f26ece3c6e3fb04d8069e6be1095e622a97c5.tar.gz
archive: Add '--generate-key'.
* guix/pk-crypto.scm (error-source, error-string): New procedures.
* guix/pki.scm (%private-key-file): New variable.
* guix/scripts/archive.scm (show-help): Document '--generate-key'.
  (%options): Add "generate-key".
  (generate-key-pair): New procedure.
  (guix-archive): Call 'generate-key' when OPTS contains a
  'generate-key' pair.
* doc/guix.texi (Setting Up the Daemon): Suggest generating a key pair.
  (Invoking guix archive): Document '--generate-key'.
Diffstat (limited to 'doc')
-rw-r--r--doc/guix.texi22
1 files changed, 22 insertions, 0 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index afa7654d54..ec529346c7 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -237,6 +237,14 @@ case, shared memory support is unavailable in the chroot environment.
 The workaround is to make sure that @file{/dev/shm} is directly a
 @code{tmpfs} mount point.}.
 
+Finally, you may want to generate a key pair to allow the daemon to
+export signed archives of files from the store (@pxref{Invoking guix
+archive}):
+
+@example
+# guix archive --generate-key
+@end example
+
 Guix may also be used in a single-user setup, with @command{guix-daemon}
 running as an unprivileged user.  However, to maximize non-interference
 of build processes, the daemon still needs to perform certain operations
@@ -948,6 +956,20 @@ resulting archive to the standard output.
 Read an archive from the standard input, and import the files listed
 therein into the store.  Abort if the archive has an invalid digital
 signature.
+
+@item --generate-key[=@var{parameters}]
+Generate a new key pair for the daemons.  This is a prerequisite before
+archives can be exported with @code{--export}.  Note that this operation
+usually takes time, because it needs to gather enough entropy to
+generate the key pair.
+
+The generated key pair is typically stored under @file{/etc/guix}, in
+@file{signing-key.pub} (public key) and @file{signing-key.sec} (private
+key, which must be kept secret.)  When @var{parameters} is omitted, it
+is a 4096-bit RSA key.  Alternately, @var{parameters} can specify
+@code{genkey} parameters suitable for Libgcrypt (@pxref{General
+public-key related Functions, @code{gcry_pk_genkey},, gcrypt, The
+Libgcrypt Reference Manual}).
 @end table
 
 To export store files as an archive to the standard output, run: