On Sun, Sep 09, 2018 at 10:43:35PM +0200, Ludovic Courtès wrote:
> Hello Guix,
> 
> (Cc’ing people with expertise and interest in this…)
> 
> This patch changes (guix gnupg) so that it uses keyrings in the “keybox”
> file format to store and read upstream public keys (instead of using the
> user’s default keyring), and so that it uses ‘gpgv --keyring’ instead
> of ‘gpg --verify’.
> 
> ‘gpgv’ is specifically designed for use cases like software signature
> verification against a keyring of “trusted keys” (it’s used by APT and
> Werner Koch recommends it¹.)  A significant difference compared to
> ‘gpg --verify’ is that it doesn’t check whether keys are expired or
> revoked; all that matters is whether the signature is valid and whether
> the signing key is in the specified keyring.  I think that’s what we
> want when checking the signature of a tarball or Git commit.

Great, this is a big improvement. It would be awesome if we could get
similar support in Git (or find another way to authenticate our code).

> This patch changes the behavior of ‘guix refresh -u’, which now uses,
> by default, the keyring at ~/.config/guix/upstream/trustedkeys.kbx.
> That means that if you already have upstream keys in your own keyring,
> you’ll probably want to export them to this keyring.
> 
> Unfortunately the keybox format and tools are poorly documented, which
> is why I gave examples on how to do that in guix.texi.
> 
> Feedback welcome!

LGTM!