guix pull and
guix time-machine commands
authenticate the code retrieved from channels: they make sure each
commit that is fetched is signed by an authorized developer. The goal
is to protect from unauthorized modifications to the channel that would
lead users to run malicious code.
As a user, you must provide a channel introduction in your channels file so that Guix knows how to authenticate its first commit. A channel specification, including its introduction, looks something along these lines:
(channel (name 'some-channel) (url "https://example.org/some-channel.git") (introduction (make-channel-introduction "6f0d8cc0d88abb59c324b2990bfee2876016bb86" (openpgp-fingerprint "CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"))))
The specification above shows the name and URL of the channel. The call
make-channel-introduction above specifies that authentication
of this channel starts at commit
6f0d8cc…, which is signed
by the OpenPGP key with fingerprint
For the main channel, called
guix, you automatically get that
information from your Guix installation. For other channels, include
the channel introduction provided by the channel authors in your
channels.scm file. Make sure you retrieve the channel
introduction from a trusted source since that is the root of your trust.
If you’re curious about the authentication mechanics, read on!