The attached patch disallows SHA1 signatures on commits, as recommended
As explained there, SHA1 is no longer the default for signatures since
the release of GnuPG 2.0 in 2006, but there are still users of GnuPG 1.x.
In our repository, there are 132 SHA1 signatures since ‘v1.0.0’ (last
one in April 2020) by three fellow hackers who have since updated their
config along the lines of item #2 at:
With this patch, any commit with a SHA1 signature made after
c91e27c60864faa229198f6f0caf620275c429a2 (May 1st), which introduces
‘.guix-authorizations’, is rejected (it is not a timestamp-based check
because timestamps can always be forged). If one of us makes a mistake,
we’ll have to hard-reset prior to the faulty commit.
For the record, this was previously discussed at:
If you have any questions, please let me know. Feedback welcome!