And for posterity, here’s the script I used to reproduce the problem: it’d pick 10 packages at random and call ‘ca-certificate-bundle’ on them. Since this bug depends on what’s in the store, I’d run it on my laptop, which only contains a fraction of the 18K packages in Guix, so it would reproduce the bug after a couple of iterations. That, together with the inevitable ‘pk’ calls plus a bit of chance, voilà! Ludo’.