Ludovic Courtès <[email protected]> skribis: > The problem is that ‘guix substitute’ will accept such narinfos (when > they are signed by an authorized key), even though the signature doesn’t > cover the important parts (namely: StorePath, NarHash, and References; > the rest is mostly informative.) A fix is attached with tests that > illustrate the problem.
I pushed the fix as 60b04024f8823192b74c1ed5b14f318049865ac7 and an update of the ‘guix’ package as 7ef64ec8476e9f13262d7755aff27c97dd2cd683. I encourage you to upgrade your daemon. Ludo’.
