@@ 120,15 120,18 @@ Environment](https://man.sr.ht/builds.sr.ht/#build-environment).
# Substitute Servers
-Supporting substitute servers is currently being explored.
-
-## Download packages from unauthorized substitute servers
-
-Guix can download packages from unauthorized servers that are
-bit-for-bit-identical to those provided from authorized servers. URLs
-to substitute servers can be given to `guix package` via
-`--substitute-urls` to opt-in. See [Substitute
+Downloading from substitute servers other than the official guix
+servers is done in two steps. If the substitute servers are trusted,
+they should be authorized first. This is done by providing the public
+keys of trusted servers to `guix archive --authorize`. URLs to
+substitute servers can then be given to various guix commands, like
+`guix package`, via `--substitute-urls` flag to enable downloading
+binaries directly instead. See [Substitute
Authentication](https://guix.gnu.org/manual/en/html_node/Substitute-Authentication.html).
+Projects should have public keys of substitute servers in the source.
+
+Guix System will trust the keys only until the next boot. This is
+important only if you are inspecting failed builds using shell access.
Example:
@@ 143,12 146,9 @@ Example:
image: guix
tasks:
- guix: |
+ guix archive --authorize < project/path/to/key.pub
servers="https://example.com https://ci.guix.gnu.org https://bordeaux.guix.gnu.org"
guix package -v0 --substitute-urls=$servers -m project/path/to/manifest.scm
- greet: |
hello
```
-
-## Authorize substitute servers
-
-TODO