Hello, Just a note for later… ludo@gnu.org (Ludovic Courtès) skribis: > With the quick-hack libgit2 bindings attached, I can run this program, > which authenticates HEAD: [...] > So I think we can go from here. Our repo would contain a Scheme list of > authorized OpenPGP fingerprints, and we’d check whether the fingerprint > that shows up in ‘valid-signature’ above is among them Storing the list of authorized keys in a file in the repo is inconvenient: simply to retrieve it, you’d need to make a checkout. So for each commit we verify, we have to check out the whole repo, which is inefficient. While reading , I realized we could store in empty Git commit messages, which would address the above problem (we could use a custom object type too, but that would be less convenient.) So the special commit could look like: Authorization (commit-authorizations (authorization-commit (KEY1 KEY2 …)) (files ("hydra.gnu.org.pub") (KEY1 KEY2 …)) (files _ (KEY1 KEY2 …))) ;all other files That way, to authenticate a commit, we first fetch the latest authorization commit, read the authorization rules from there, and make sure that the changes it makes match the rules. Thoughts? Ludo’.