Hi Attila, Attila Lendvai skribis: > * guix/git-authenticate.scm (authenticate-commit): Reword and extend the error > message to point to the relevant part of the manual. > (authenticate-repository): Explicitly authenticate the channel introduction > commit, so that it's also rejected unless it is signed by an authorized > key. Otherwise only the second commit would yield an error, which > is confusing. This behavior is intentional and documented (info "(guix) Specifying Channel Authorizations"): Channel introductions answer these questions by describing the first commit of a channel that should be authenticated. The first time a channel is fetched with ‘guix pull’ or ‘guix time-machine’, the command looks up the introductory commit and verifies that it is signed by the specified OpenPGP key. From then on, it authenticates commits according to the rule above. […] The channel introduction, as we saw above, is the commit/key pair—i.e., the commit that introduced ‘.guix-authorizations’, and the fingerprint of the OpenPGP used to sign it. By definition, parent commits of the introduction do not (not necessarily) provide ‘.guix-authorizations’. So there’s nothing to be done here, other than checking that the introductory commit is indeed signed by the key specified in the introduction. Does that make sense? (Other patches you posted in this thread might be useful though, but we can discuss them independently.) Thanks, Ludo’. PS: If you haven’t already, you can take a look at the following pages for more on the design rationale: https://guix.gnu.org/en/blog/2020/securing-updates/ https://issues.guix.gnu.org/22883#69