Hello Guix, I'll get right to the point: I goofed up earlier tonight, and pushed to master a commit [0] modifying build-aux/git-authenticate.scm. Since we're all to sign our commits, as a result, in addition to Ludo’s key you now need to add my GPG key to your keyring as well, before invoking git-verify-commit on that file as shown in the manual.
[0]: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=c2cf286c62933d2806ae17b8287520820bf87c7e Backstory: as I myself had not yet started using git-authenticate, I had not read the bit about it in the manual. And it did not occur to me to do a git-blame or git-log on the file before committing to it, in order for me to notice that until that point only Ludo’ had committed to it. Chatting with Ludo’ and others in #guix, it seems that it's not too far fetched for committers to update their own keys and information in the git-authenticate script, and I just happened to be the first person walking into it. :-) As such, the manual will be updated to clarify that keys other than Ludo’s have been used to sign commits to build-aux/git-authenticate.scm, and folks looking to verify and use the script need to fetch them from the respective committers' Savannah profile in addition to Ludo’s key. fishyfriend on #guix kindly volunteered to send a patch clarifying this. For those looking to fetch my GPG key in order to verify the legitimacy of my commit(s) to git-authenticate, you can get a copy of my key from my Savannah profile [1]; or since I happen to be a GNU maintainer, from the GNU maintainers keyring [2]. The key is the same one I have used to sign my previous commits to guix.git with, and the one I have signed my messages to this list with, including this very message, with primary fingerprint BE62 7373 8E61 6D6D 1B3A 08E8 A21A 0202 4881 6103, and signing subkey 39B3 3C8D 9448 0D2D DCC2 A498 8B44 A0CD C7B9 56F2. [1]: https://savannah.gnu.org/users/bandali [2]: https://ftp.gnu.org/gnu/gnu-keyring.gpg Sorry for any inconvenience or confusion this may have caused. Best, amin
signature.asc
Description: PGP signature
