More questions:

1. Will hydra.gnu.org serve only signed .narinfo files?

2. If not, how can one opt out of verifying while using ‘guix
   substitute-binary’?  Should we add an option to ‘guix package’ and
   ‘guix build’?

3. How does a user get Hydra’s public key?

4. Will the entire cache be signed with a single key?  (Mark, would you
   like to add something?)

5. When do we want to verify the .narinfo file?  Can it be done in
   ‘read-narinfo’?  Similarly, should we sign and base64-encode in
   ‘write-narinfo’?

6. Where should ‘guix substitute-binary’ look for a keypair?

7. How do we determine that a file is signed with a trusted key?  What
   if we don’t have the needed public key?  Does it mean we miss the
   right one, or is it a MITM attack?