The origins.git.trusted_sites setting is not well signposted based on documentation alone.

It would probably help if the error message when publishing fails due to an untrusted origin (currently just error: Origin is hosted on unknown site: <hostname>) had a note to the effect of You may need to update your 'origins.git.trusted_sites' setting. Obviously this should only be shown if --for-private-index is specified, and otherwise perhaps it should include something like Please contact us if you think a site should be allowed. (from here).

As a side note, the description in alr help settings should probably also mention that the restriction is motivated by vulnerabilities in SHA1, so that users understand the implications of changing it.