guix git authenticate
guix git authenticate command authenticates a Git checkout
following the same rule as for channels (see channel authentication). That is, starting from a given commit, it ensures
that all subsequent commits are signed by an OpenPGP key whose fingerprint
appears in the .guix-authorizations file of its parent commit(s).
You will find this command useful if you maintain a channel. But in fact, this authentication mechanism is useful in a broader context, so you might want to use it for Git repositories that have nothing to do with Guix.
The general syntax is:
guix git authenticate commit signer [options…]
By default, this command authenticates the Git checkout in the current directory; it outputs nothing and exits with exit code zero on success and non-zero on failure. commit above denotes the first commit where authentication takes place, and signer is the OpenPGP fingerprint of public key used to sign commit. Together, they form a “channel introduction” (see channel introduction). The options below allow you to fine-tune the process.
Open the Git repository in directory instead of the current directory.
Load OpenPGP keyring from reference, the reference of a branch such as
my-keyring. The branch must contain OpenPGP
public keys in .key files, either in binary form or
“ASCII-armored”. By default the keyring is loaded from the branch named
Display commit signing statistics upon completion.
Previously-authenticated commits are cached in a file under ~/.cache/guix/authentication. This option forces the cache to be stored in file key in that directory.
By default, any commit whose parent commit(s) lack the .guix-authorizations file is considered inauthentic. In contrast, this option considers the authorizations in file for any commit that lacks .guix-authorizations. The format of file is the same as that of .guix-authorizations (see .guix-authorizations format).