Record in ~/.cache, under KEY, COMMIT-ID and its closure as authenticated (only COMMIT-ID is written to cache, though).

Read authorizations in the '.guix-authorizations' format from PORT, and return a list of authorized fingerprints.

Return the OpenPGP key that signed COMMIT-ID (an OID). Raise an exception if the commit is unsigned, has an invalid signature, has a signature using one of the hash algorithms in DISALLOWED-HASH-ALGORITHMS, or if its signing key is not in KEYRING.

Load the '.key' files from the tree at REFERENCE in REPOSITORY and return an OpenPGP keyring.

Return the list of OpenPGP fingerprints authorized to sign COMMIT, based on authorizations listed in its parent commits. If one of the parent commits does not specify anything, fall back to DEFAULT-AUTHORIZATIONS.

Authenticate COMMIT from REPOSITORY and return the signing key fingerprint. Raise an error when authentication fails. If one of the parent commits does not specify anything, fall back to DEFAULT-AUTHORIZATIONS.

Authenticate REPOSITORY up to commit END, an OID. Authentication starts with commit START, an OID, which must be signed by SIGNER; an exception is raised if that is not the case. Commits listed in AUTHENTIC-COMMITS and their closure are considered authentic. Return an alist mapping OpenPGP public keys to the number of commits signed by that key that have been traversed.

The OpenPGP keyring is loaded from KEYRING-REFERENCE in REPOSITORY, where KEYRING-REFERENCE is the name of a branch. The list of authenticated commits is cached in the authentication cache under CACHE-KEY.

HISTORICAL-AUTHORIZATIONS must be a list of OpenPGP fingerprints (bytevectors) denoting the authorized keys for commits whose parent lack the '.guix-authorizations' file.

Authenticate COMMITS, a list of commit objects, calling REPORT-PROGRESS for each of them. Return an alist showing the number of occurrences of each key. If KEYRING is omitted, the OpenPGP keyring is loaded from KEYRING-REFERENCE in REPOSITORY.

Return a unique key to store the authenticate commit cache for REPOSITORY.

Return the version string for packages using git-download.

Return a predicate that returns true if a file is part of the Git checkout living at DIRECTORY. If DIRECTORY does not lie within a Git checkout, and upon Git errors, return #f instead of a predicate.

When RECURSIVE? is true, the predicate also returns true if a file is part of any Git submodule under DIRECTORY. This is enabled by default.

The returned predicate takes two arguments FILE and STAT where FILE is an absolute file name and STAT is the result of 'lstat'.