Arun Isaac (2016-08-31 08:37 +0300) wrote: > I am trying to package a package that provides a GPG signed source > archive. Is there any way to get Guix to verify this signature, by say, > specifying it in the 'origin' object of the 'source' field of the > package? What is the standard way this is done in Guix?
I think the procedure is: a packager verifies the source and that's it. Since a package has a hash of the source, we can be sure that the source wasn't changed since it was packaged, so if we find that a package has a compromised source, we can blame the packager. -- Alex
