Hi guix-devel, I coded up the following recently: [start snip] ;; TODO does this check all the right fields? (define %pinned-public-keys '(("content.minetest.net" . #u8(188 216 200 89 188 149 240 145 93 189 114 207 239 50 157 141 57 196 11 102)) ("ftp.gnu.org" . #u8(100 133 126 118 117 115 141 72 253 200 108 158 64 47 85 199 90 0 253 179 181)) ("www.stackage.org" . #u8(101 7 34 114 166 42 66 55 116 60 42 253 85 30 134 236 217 108 67 119)) ("hackage.haskell.org" . #u8(80 123 226 229 92 27 203 99 130 198 72 113 250 28 247 58 254 19 104 79)) ("fastapi.metacpan.org" . #u8(86 7 157 232 133 127 13 58 144 86 37 162 91 239 203 138 150 84 56 67)) ("cran.r-project.org" . #u8(60 80 123 29 14 43 131 116 105 126 126 58 154 231 6 150 216 158 70 213)) ("web.cvs.savannah.gnu.org" . #u8(66 134 131 20 232 136 162 102 201 229 202 93 21 161 26 192 176 3 61 38)))) (use-modules (gnutls) (rnrs bytevectors)) (define old (@@ (gnutls) x509-certificate-matches-hostname?)) (set! (@@ (gnutls) x509-certificate-matches-hostname?) (lambda (certificate domain) (and (old certificate domain) ;; If the domain name is known to Guix, verify the public key ;; -- the CA could be corrupt or compromised! (let ((pinned-key (assoc-ref %pinned-public-keys domain))) (or (pk 'd domain pinned-key (not pinned-key)) (bytevector=? pinned-key (x509-certificate-key-id certificate))))))) [end snip] I put it in (guix import minetest); it should probably be integrated into (guix build download) instead. The purpose is to resist a compromise of the CA system. More concretely, if you now do "guix refresh -u minetest-moreores" then a MITM that compromised a CA cannot secretly replace minetest-moreores with a mod that mines bitcoin for the MITM, or something. Possibly also useful for "guix download", "guix import", "guix lint", "guix build --with-latest=...". A downside is that whenever content.minetest.net changes public keys, the pinned public key in Guix needs to be updated. How often does this happen? I wouldn't now. This could be partially automated with a "./pre-inst-env guix update-the-pinned-keys" script, and there could be an "GUIX_IGNORE_KEY_PINNING=yes" environment variable as escape hatch. WDYT, worth the trouble or not?