If enabled (the default), Nix will only download binaries from binary caches if they are cryptographically signed with any of the keys listed in nix.settings.trusted-public-keys. If disabled, signatures are neither required nor checked, so it’s strongly recommended that you use only trustworthy caches and https to prevent man-in-the-middle attacks.

true