Hi Vagrant, Vagrant Cascadian <vagr...@debian.org> skribis:
> This isn't exactly pretty, and obviously a better long-term solution is > needed, but I wrote a quick shell script to at least partially addresses > some my biggest fears with guix pull... > > Basically, it updates a git checkout, checks the signatures on the > commits, looking for the topmost signed commit by a key in a specific > keyring, and then runs guix pull with that commit. Thanks for sharing! Even if it’s not the long-term solution, it’s a useful way to see how to move forward. > It relies on a custom gpg directory and assumes any of the keys in the > keyring are valid potential signers of the commits; the web of trust is > essentially ignored. > > I really don't like having a custom GNUPGHOME, but I didn't see any > other obvious way to pass arguments to git to use a custom keyring. I > populated this GNUPGHOME with keys from: > > > https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1 > > And then ran gpg --refresh-keys on it, as several keys were > outdated/expired. ‘gpgv’, which is recommended for this use case, has a ‘--keyring’ argument. I suppose we could use that. > (an alternative approach to populate the keyring might be: > https://gitlab.com/Efraim/guix-keyring) Indeed, didn’t know about this repo. Thank you, Ludo’.
