On 2019-12-27, Ricardo Wurmus wrote:
>>   b3011dbbd2 doc: Mention "make authenticate".
>>   787766ed1e git-authenticate: Keep a local cache of previously-authenticated commits.
>>   785af04a75 git: 'commit-difference' takes a list of excluded commits.
>>   1e43ab2c03 Add 'build-aux/git-authenticate.scm'.
>>
>> Commit 787766ed1e takes care of caching (one of the limitations I
>> mentioned in my previous message).
>>
>> Commit b3011dbbd2 adds instructions for contributors on how to
>> authenticate a checkout (copied below).  It’s a bit bumpy so I would
>> very much welcome feedback and suggestions on how to improve this!
>
> This is great!

Yes! Yes!


> Thank you for the instructions.  I thought I had all keys, but
> apparently at least one of them is missing.  “make authenticate” fails
> for me with this error:
>
> Throw to key `srfi-34' with args `(#<condition &message [message: "could not authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key B943509D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'.
>
> I previously downloaded the gpg keyring from Savannah:
>
>     https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix
>
> Looks like Hartmut used to use a different key, which I don’t have.

I got this too, and manually worked around it by downloading
guix-keyring.gpg from:

  https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1

And running:

  gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/guix.kbx --import ~/guix-keyring.gpg

It seems to be working now... how is the keyring *supposed* to be
populated? Before I manually imported guix-keyring.gpg into guix.kbx,
there were a very small number of keys present.


It's a little awkward that it uses the fingerprint of the signing key
rather than the primary key, as by default things like "gpg --list-keys"
do not display the fingerprint of signing keys, only the primary key, so
it is an adventure in gpg commandline options to correlate them.

"gpg log --show-signature" also reports the the primary key fingerprint,
if the key is available in the keyring, and only the subkey fingerprint
for unknown keys if I remember correctly.

It would be nice if the statistics would display the primary uid
instead, as it is something a little more human readable, and the
primary key fingerprint, as it is a little easier to find. :)


I'm hoping the eventual goal is to integrate this into guix pull?


Very nice to see progress on this issue!


live well,
  vagrant