On Sun, 28 Dec 2025 09:21:10 +0100, Rutherther <[email protected]> wrote: … Simon Josefsson <[email protected]> writes: > Rutherther <[email protected]> writes: > >> Installation script: https://guix.gnu.org/guix-install.sh > ... >> All of these files have are signed at <link>.sig. They are all signed by >> Rutherther, you can get his public key from [1], then import it using >> “gpg --import”. > ... >> • SHA256 hashes > > The guix-install.sh script does not seem to have a *.sig file, nor is it > included in the SHA256 hash list.
That is true. That is because the script tracks master of the Guix repository and we cannot be sure no one will change it in the following days. So we cannot include it in the SHA256 hash list as it is not 'part' of the release by itself. It having different hash afterwards is not a bug and it would be confusing to users if it was included in the list and changed. Generally the install script is improved even after the release, while parts of it are tied to the tarball, large part of it isn't. For example the /etc/profile.d/zzz-guix.sh lives in the script and might be changed. This is then used to improve it even throughout the time when there isn't any release. > Since this script is often ran by > root, I think it should have some security protection beyond WebPKI > https URL assurance. Maybe already tracked in some bug report? Still, > would be great to see improved for 1.5.0. I do not know of such an issue, feel free to create it. This would require serious rethinking on how to manage this script, though. Because automatic updates would no longer be possible. … The last time I saw an issue on it was 7 years ago ([email protected]) where including an .asc signature file was mentioned but ultimately they decided to just close the issue without change. If a signature file could be added when copying the installer to https://guix.gnu.org/install.sh and then referenced in the manual (2.1 Binary Installation), it would increase trust when bootstrapping a fresh build on a foreign distribution. Currently I use the manual install steps since I don't want to check/verify the script each time. Cheers, whk
