Ludovic Courtès writes: > A consequence is that a mirror operator who’d like to, say, > remove some of the compression methods cannot do that, unless they > are in a position to resign narinfos. > > This patch fixes it by computing the signature over the normative > fields only (plus the “Deriver” field, although it’s not strictly > necessary). The result looks like this: ... > Notice that URL/Compression come after the signature. > > I added a test to ‘tests/substitute.scm’ to be entirely sure > that (guix narinfo) handles these correctly. > > Thoughts? This sounds good to me. Going back to talk of enabling zstd substitutes on bordeaux.guix.gnu.org, this approach will be really helpful, as it means it's something the nar-herder can do, without needing the signing key. Also, at some point, it would be good to move narinfo-string out to (guix narinfo), which would allow for the build coordinator to use it, rather than it's own implementation. Thanks, Chris