On 2025-09-16, Ludovic Courtès wrote: > Simon Josefsson <[email protected]> writes: >>> Right, we should improve the doc. Most of the time, that means checking >>> the signature on the release tag. >> >> Couldn't that be automated? Or is it already? If the PGP or SSH public >> key of upstream's is saved a comparison could be made automatically, >> assuming guix download a package using the git protocol (or some other >> way that preserves the git tag signature validity). > > ‘guix refresh -u’ automatically checks the OpenPGP signature on tarballs > when such signatures exist.
How does it check if it was signed by the "right" key, as opposed to just signed by any old key we happened to find on the internet? Last I looked, there was no place to record an upstream signing key (or keyring) for each upstream source, but it was admittedly a while ago... live well, vagrant
signature.asc
Description: PGP signature
