Hello Guix! Ludovic Courtès skribis: > To begin with, I propose the attached script: when given a commit range, > it authenticates each commit, meaning that it ensures commits have a > valid signature and that that signature was made by one of the > authorized keys. Sample session: > > $ time ./pre-inst-env guile -e git-authenticate build-aux/git-authenticate.scm d68de958b60426798ed62797ff7c96c327a672ac 099ce5d4901706dc2c5be888a5c8cbf8fcd0d576 > Authenticating d68de95 to 099ce5d (7938 commits)... > Signing statistics: > BCA689B636553801C3C62150197A5888235FACAC 1454 > 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 1025 > BBB02DDF2CEAF6A80D1DE643A2A06DF2A33A54FA 941 > > [...] > > real 2m21.272s > user 1m38.741s > sys 0m59.546s I’ve now committed this file: b3011dbbd2 doc: Mention "make authenticate". 787766ed1e git-authenticate: Keep a local cache of previously-authenticated commits. 785af04a75 git: 'commit-difference' takes a list of excluded commits. 1e43ab2c03 Add 'build-aux/git-authenticate.scm'. Commit 787766ed1e takes care of caching (one of the limitations I mentioned in my previous message). Commit b3011dbbd2 adds instructions for contributors on how to authenticate a checkout (copied below). It’s a bit bumpy so I would very much welcome feedback and suggestions on how to improve this! Thanks in advance! Ludo’. --8<---------------cut here---------------start------------->8--- If you want to hack Guix itself, it is recommended to use the latest version from the Git repository: git clone https://git.savannah.gnu.org/git/guix.git How do you ensure that you obtained a genuine copy of the repository? Guix itself provides a tool to “authenticate” your checkout, but you must first make sure this tool is genuine in order to “bootstrap” the trust chain. To do that, run: git verify-commit `git log --format=%H build-aux/git-authenticate.scm` The output must look something like: gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 ... gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 ... ... meaning that changes to this file are all signed with key ‘3CE464558A84FDC69DB40CFB090B11993D9AEBB5’ (you may need to fetch this key from a key server, if you have not done it yet). From there on, you can authenticate all the commits included in your checkout by running: make authenticate The first run takes a couple of minutes, but subsequent runs are faster. Note: You are advised to run ‘make authenticate’ after every ‘git pull’ invocation. This ensures you keep receiving valid changes to the repository --8<---------------cut here---------------end--------------->8---