Ludovic Courtès schreef op ma 18-04-2022 om 22:24 [+0200]:
> [... guix refresh -u stuff failing due to not finding the key ...]
> I’m not sure what a good solution is (other than looking for the key
> manually on Savannah or on some random key server).

Alternatively, why use key servers at all?  WDYT of something like

(package
  (name "gnurl")
  [...]
  (properties
    ;; Keys that are considered ‘trustworthy’ for signing releases
    ;; of gnurl.
    `((permitted-pgp-signing-keys "CABB A99E ..." "DEAD BEEF ...")
      ;; Locations of PGP key (possibly with some of them pointing to
      ;; the same key)
      (pgp-key-locations
        ,(savannah-pgp-key USER-ID) ... ; most signers are on savannah.gnu.org
        ,(local-file "[...]/someone.pub") ; not easily available from the Web               
        "https://rando/key.pub"
        "ipfs://.../..." "gnunet://...")))) ; download key via P2P networks

The first part (permitted-pgp-signing-keys) has been suggested previously and
seems mostly orthogonal, but the second part is new.  It would reduce
the dependency on central infrastructure.  We could consider key servers
to be ‘merely’ another fallback.

Greetings,
Maxime