diff --git a/guix/pki.scm b/guix/pki.scm
index 6f5e95b0ab10b07f3ce14dd6100a9893ea9aefaa..3cd9763fdf0e0d154505d126a1bac900f392660c 100644
--- a/guix/pki.scm
+++ b/guix/pki.scm
@@ -30,6 +30,7 @@ (define-module (guix pki)
             public-keys->acl
             acl->public-keys
             authorized-key?
+            write-acl
 
             signature-sexp
             signature-subject
@@ -83,9 +84,13 @@ (define (ensure-acl)
         (mkdir-p (dirname %acl-file))
         (with-atomic-file-output %acl-file
           (lambda (port)
-            (display (canonical-sexp->string
-                      (public-keys->acl (list public-key)))
-                     port)))))))
+            (write-acl (public-keys->acl (list public-key))
+                       port)))))))
+
+(define (write-acl acl port)
+  "Write ACL to PORT in canonical-sexp format."
+  (let ((sexp (sexp->canonical-sexp acl)))
+    (display (canonical-sexp->string sexp) port)))
 
 (define (current-acl)
   "Return the current ACL."
diff --git a/guix/scripts/archive.scm b/guix/scripts/archive.scm
index 90dc844281873de9af3ef7c16e5ca5dd4a6f8dd9..0a2e186da68bcb2bb71228e1346597ff5de84502 100644
--- a/guix/scripts/archive.scm
+++ b/guix/scripts/archive.scm
@@ -288,9 +288,7 @@ (define (read-key)
     (let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
       (mkdir-p (dirname %acl-file))
       (with-atomic-file-output %acl-file
-        (lambda (port)
-          (display (canonical-sexp->string (sexp->canonical-sexp acl))
-                   port))))))
+        (cut write-acl acl <>)))))
 
 (define (guix-archive . args)
   (define (parse-options)