As requested in the discussion on "Trustable guix pull" [0], I've recently started signing the commits I push to Savannah. At first, I set "gpgsign = true" in my Guix repo's Git config. This requires you to sign every commit you make. It's effective, but I found it annoying to provide my signing key while doing exploratory hacking, rebasing a branch on master, etc. Instead, I want to sign after my final "self-review" and before pushing to Savannah or sending patches to the list for final review. So, I've attached a pre-push Git hook that should prevent unsigned commits from being pushed to any remote [1]. I've also attached a shell function that will sign commits besides HEAD (useful for signing a range of commits). I didn't find a more Git-idiomatic way to sign an existing commit besides HEAD. Please let me know if you see any problems with this approach, or if you can suggest some improvements. [0] http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#16 [1] One could make it remote-specific if desired.