> Objects aren’t malicious.  Perhaps you’re talking about situations where
> a mirror provides a tarball along with a valid signature, but said
> signature is made with a random key, and the tarball is actually not
> genuine, right?

Yep.

> Second, this is the same model as used by the OpenSSH client.  When the
> client is first introduced to a host, it presents you its key
> fingerprint, you type ‘y’, and that key gets added to your known hosts
> file.  From there on, person-in-the-middle attacks are trivially
> detected as a key mismatch.

AFAICT, 'guix refresh' doesn't allow to check fingerprints.  If so, we
must change it.

Am I mistaken?  I'm not sure because it fails on my machine:

# ./pre-inst-env guix refresh -u

[...]

In execlp of gpg2: No such file or directory
guix refresh: warning: signature verification failed for `guile-2.0.9.tar.gz'
guix refresh: warning: (could be because the public key is not in your keyring)
gnu/packages/guile.scm:48:12: guile: updating from version 1.8.8 to version 2.0.9...
Backtrace:
In ice-9/boot-9.scm:
 157: 12 [catch #t #<catch-closure 954b170> ...]
In unknown file:
   ?: 11 [apply-smob/1 #<catch-closure 954b170>]
In ice-9/boot-9.scm:
  63: 10 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
 432: 9 [eval # #]
In ice-9/boot-9.scm:
2320: 8 [save-module-excursion #<procedure 93f9e80 at ice-9/boot-9.scm:3961:3 ()>]
3966: 7 [#<procedure 93f9e80 at ice-9/boot-9.scm:3961:3 ()>]
In unknown file:
   ?: 6 [load-compiled/vm "/root/.cache/guile/ccache/2.0-LE-4-2.0/home/guix-test2/scripts/guix.go"]
In guix/ui.scm:
 417: 5 [guix-main "/home/guix-test2/scripts/guix" "refresh" "-u"]
In ice-9/boot-9.scm:
 157: 4 [catch srfi-34 #<procedure 9858520 at guix/ui.scm:138:2 ()> ...]
In srfi/srfi-1.scm:
 619: 3 [for-each #<procedure 98580e0 at guix/scripts/refresh.scm:151:22 (package)> ...]
In guix/scripts/refresh.scm:
 167: 2 [#<procedure 98580e0 at guix/scripts/refresh.scm:151:22 (package)> #]
In ice-9/boot-9.scm:
 788: 1 [call-with-input-file #f ...]
In unknown file:
   ?: 0 [open-file #f "r" #:encoding #f #:guess-encoding #f]

ERROR: In procedure open-file:
ERROR: Wrong type (expecting string): #f

> It’s exactly what I would do manually.  What about you?

It depends.  I usually use a similar page [1] to compare fingerprints
and also check via keys.gnupg.net.  Sometimes I try to get more
information elsewhere.  Again, the sad truth is that it's easier not to
sign an ingenuine tarball at all.

>> Is it possible to use three mirrors to check keys and tarballs?

> Check against what?  What do you want to address?

Check them against each other.  But it's not the case because 'guix
refresh' uses one server per package.

> I’ve made this suggestion to one of the FSF sysadmins, but it seems to
> need further discussion, and probably input from crypto-savvy people.

OK. 

[1] http://gcc.gnu.org/mirrors.html