Hey Vagrant, Replying to an old message…
Vagrant Cascadian <[email protected]> skribis: > On 2025-09-16, Ludovic Courtès wrote: >> ‘guix refresh -u’ automatically checks the OpenPGP signature on tarballs >> when such signatures exist. > > How does it check if it was signed by the "right" key, as opposed to > just signed by any old key we happened to find on the internet? Last I > looked, there was no place to record an upstream signing key (or > keyring) for each upstream source, but it was admittedly a while ago... It’s trust-on-first-use (TOFU), and it’s per-developer. That is, the first time ‘guix refresh -u’ encounters a missing key, it offers to download it to a local keyring. Storing signing key fingerprints as package properties would be an improvement. There’s still the problem though that there’s usually no clear way for upstream developers to communicate key changes downstream. (And more importantly, tarballs are on the decline; having ‘guix refresh -u’ verify signed Git tags would be useful!) Ludo’.
