|
|
@@ -42,30 +42,27 @@ git clone https://git.savannah.gnu.org/git/guix.git |
|
|
|
|
|
|
|
@cindex authentication, of a Guix checkout |
|
|
|
How do you ensure that you obtained a genuine copy of the repository? |
|
|
|
Guix itself provides a tool to @dfn{authenticate} your checkout, but you |
|
|
|
must first make sure this tool is genuine in order to ``bootstrap'' the |
|
|
|
trust chain. To do that, run: |
|
|
|
To do that, run @command{guix git authenticate}, passing if the commit |
|
|
|
and OpenPGP fingerprint of the @dfn{channel introduction} |
|
|
|
(@pxref{Invoking guix git authenticate}): |
|
|
|
|
|
|
|
@c XXX: Adjust instructions when there's a known tag to start from. |
|
|
|
@c The commit and fingerprint below must match those of the channel |
|
|
|
@c introduction in '%default-channels'. |
|
|
|
@example |
|
|
|
git verify-commit `git log --format=%H build-aux/git-authenticate.scm` |
|
|
|
@end example |
|
|
|
|
|
|
|
The output must look something like: |
|
|
|
|
|
|
|
@example |
|
|
|
gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET |
|
|
|
gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 |
|
|
|
@dots{} |
|
|
|
gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET |
|
|
|
gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 |
|
|
|
@dots{} |
|
|
|
guix git authenticate 9edb3f66fd807b096b48283debdcddccfea34bad \ |
|
|
|
"BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA" |
|
|
|
@end example |
|
|
|
|
|
|
|
@noindent |
|
|
|
... meaning that changes to this file are all signed with key |
|
|
|
@code{3CE464558A84FDC69DB40CFB090B11993D9AEBB5} (you may need to fetch |
|
|
|
this key from a key server, if you have not done it yet). |
|
|
|
This command completes with exit code zero on success; it prints an |
|
|
|
error message and exits with a non-zero code otherwise. |
|
|
|
|
|
|
|
As you can see, there is a chicken-and-egg problem: you first need to |
|
|
|
have Guix installed. Typically you would install Guix System |
|
|
|
(@pxref{System Installation}) or Guix on top of another distro |
|
|
|
(@pxref{Binary Installation}); in either case, you would verify the |
|
|
|
OpenPGP signature on the installation medium. This ``bootstraps'' the |
|
|
|
trust chain. |
|
|
|
|
|
|
|
The easiest way to set up a development environment for Guix is, of |
|
|
|
course, by using Guix! The following command starts a new shell where |
|
|
|