Hello, Thiago Jung Bauermann <bauerm...@kolabnow.com> skribis:
> I’ve been thinking lately that Guix {sh,c}ould have a new ’release-signing- > keys’ field in the package record which would list the keys that are known > to sign official releases of the package. Then Guix would check the tarball/ > git commit/git tag when downloading it. It would be an additional (and IMHO > important) source of truth. Yes, it’s been discussed a few times and I agree it’d be nice. The difficulty here is that it’s “silent” metadata: it’s not used, or at least not necessarily used as part of the download process. But maybe that’s OK: we can have the download process check signatures when possible. Right now we rely on ‘guix refresh -u’ or contributors/reviewers do perform this check. > There are details that would need to be hashed out such as how to deal with > revoked keys or whether to store the keys themselves on the Guix repo or > anywhere else in Guix’s infrastructure, but I think it’s possible to arrive > at a reasonable solution. Perhaps a first step would be to download keys opportunistically. We have (guix openpgp) which can be used to verify signatures without taking revocation into account. Thanks, Ludo’.