Also, make sure to install the pre-push hook, it should not have let you commit without checking your commits were properly recognised.

Le 11 mars 2021 08:11:38 GMT-05:00, Taylan Kammer <taylan.kammer@gmail.com> a écrit :
>On 11.03.2021 08:37, Maxime Devos wrote:
>> On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote:
>>> [...]
>>> Damn, sorry about that.  I assumed of course that an improperly
>signed
>>> commit would not be accepted, so I didn't pay any special mind.
>>>
>>> However, I also assumed that adding a new GPG key to my
>savannah.gnu.org
>>> account would be sufficient.
>> 
>> "guix pull" only looks at the git repo (the .guix-authorizations file
>+ the
>> keyring branch), and not anything else provided by savannah.  Doing
>so would
>> introduce an additional point where the "guix pull" mechanism could
>be
>> compromised.  The git repository could as well have been hosted at
>> $RANDOM_SPY_AGENCY or $RANDOM_FORGE.
>> 
>> (See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’
>and
>> ‘7.4 Invoking ‘guix git authenticate’’).
>
>Thanks, makes sense.
>
>I'm hopping workstations recently, and my general habit is to create
>new
>keys on each machine I'm using and register them where ever needed.
>(E.g. .ssh/authorized_keys on machines I access, GitHub account, etc.)
>
>I guess I shouldn't do that with Guix push access and instead keep a
>GPG
>key on a USB drive or such.
>
>
>- Taylan