doc: Recommend running 'guix git authenticate' when cloning the repo.

* doc/contributing.texi (Building from Git): Adjust instruction and
recommend 'guix git authenticate'.
This commit is contained in:
Ludovic Courtès 2020-07-22 15:04:21 +02:00
parent 2f648809e3
commit 63c799c1c5
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5

@ -42,30 +42,27 @@ git clone https://git.savannah.gnu.org/git/guix.git
@cindex authentication, of a Guix checkout @cindex authentication, of a Guix checkout
How do you ensure that you obtained a genuine copy of the repository? How do you ensure that you obtained a genuine copy of the repository?
Guix itself provides a tool to @dfn{authenticate} your checkout, but you To do that, run @command{guix git authenticate}, passing if the commit
must first make sure this tool is genuine in order to ``bootstrap'' the and OpenPGP fingerprint of the @dfn{channel introduction}
trust chain. To do that, run: (@pxref{Invoking guix git authenticate}):
@c XXX: Adjust instructions when there's a known tag to start from. @c The commit and fingerprint below must match those of the channel
@c introduction in '%default-channels'.
@example @example
git verify-commit `git log --format=%H build-aux/git-authenticate.scm` guix git authenticate 9edb3f66fd807b096b48283debdcddccfea34bad \
@end example "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA"
The output must look something like:
@example
gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET
gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
@dots{}
gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET
gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
@dots{}
@end example @end example
@noindent @noindent
... meaning that changes to this file are all signed with key This command completes with exit code zero on success; it prints an
@code{3CE464558A84FDC69DB40CFB090B11993D9AEBB5} (you may need to fetch error message and exits with a non-zero code otherwise.
this key from a key server, if you have not done it yet).
As you can see, there is a chicken-and-egg problem: you first need to
have Guix installed. Typically you would install Guix System
(@pxref{System Installation}) or Guix on top of another distro
(@pxref{Binary Installation}); in either case, you would verify the
OpenPGP signature on the installation medium. This ``bootstraps'' the
trust chain.
The easiest way to set up a development environment for Guix is, of The easiest way to set up a development environment for Guix is, of
course, by using Guix! The following command starts a new shell where course, by using Guix! The following command starts a new shell where