On Mon, Aug 24, 2020 at 04:36:22PM +0200, Ludovic Courtès wrote:
> Hi!
>
> Justus Winter skribis:
>
> > Ludovic Courtès writes:
>
> [...]
>
> We can introduce signature verification in (guix download): every time
> code is downloaded and signature metadata is available, we verify its
> signat
Hi!
Justus Winter skribis:
> Ludovic Courtès writes:
[...]
>> The idea of storing cryptographic metadata directly in has been
>> discussed a few times:
>>
>> https://lists.gnu.org/archive/html/help-guix/2016-08/msg00132.html
>> https://lists.gnu.org/archive/html/guix-devel/2015-10/msg001
Hello :)
Ludovic Courtès writes:
> Justus Winter skribis:
>> So I think two things need to happen before this step can be improved:
>> The package metadata should include the URL of the signature and a set
>> of cryptographic identities eligible for signing the artifact.
>
> The idea of storing
Dear,
On Mon, 27 Jul 2020 at 14:54, Ludovic Courtès wrote:
> Of course we could have additional tools to make use of that info, say
> ‘guix build -S --authenticate’ or something. But that would still be
> optional.
What do you mean?
The command "guix build -S" returns the tarball (where non-f
Hi Justus!
Justus Winter skribis:
>> Before submitting a patch that adds or modifies a package definition,
>> please run through this check list:
>>
>> 1. If the authors of the packaged software provide a cryptographic
>>signature for the release tarball, make an effort to verify the
>>a
Hello :)
doing some packaging lately I noticed a weak link in Guix'
authentication chain. Artifacts downloaded by Guix are authenticated
using a hashsum included in the packaging definition, and 'guix
download' will compute this hashsum over artifacts, but the step of
authenticating the artifact
