From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Kost Subject: Re: Packaging packages with GPG signed source archives Date: Wed, 31 Aug 2016 10:33:54 +0300 Message-ID: <87oa49crz1.fsf@gmail.com> References: Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60477) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bf024-0000qm-B5 for help-guix@gnu.org; Wed, 31 Aug 2016 03:34:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bf01z-0000dB-Cj for help-guix@gnu.org; Wed, 31 Aug 2016 03:33:59 -0400 Received: from mail-lf0-x230.google.com ([2a00:1450:4010:c07::230]:33836) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bf01z-0000d7-3v for help-guix@gnu.org; Wed, 31 Aug 2016 03:33:55 -0400 Received: by mail-lf0-x230.google.com with SMTP id p41so11703167lfi.1 for ; Wed, 31 Aug 2016 00:33:54 -0700 (PDT) In-Reply-To: (Arun Isaac's message of "Wed, 31 Aug 2016 11:07:47 +0530") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Arun Isaac Cc: help-guix Arun Isaac (2016-08-31 08:37 +0300) wrote: > I am trying to package a package that provides a GPG signed source > archive. Is there any way to get Guix to verify this signature, by say, > specifying it in the 'origin' object of the 'source' field of the > package? What is the standard way this is done in Guix? I think the procedure is: a packager verifies the source and that's it. Since a package has a hash of the source, we can be sure that the source wasn't changed since it was packaged, so if we find that a package has a compromised source, we can blame the packager. -- Alex