GNU bug report logs

#22883 Trustable "guix pull"

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #135 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 28 Aug 2018 19:56:13 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Aug 28 15:56:13 2018
Received: from localhost ([127.0.0.1]:35952 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fuk61-0000ec-67
	for submit@debbugs.gnu.org; Tue, 28 Aug 2018 15:56:13 -0400
Received: from cascadia.aikidev.net ([173.255.214.101]:49278)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <vagrant@debian.org>) id 1fuk5z-0000eP-GB
 for 22883@debbugs.gnu.org; Tue, 28 Aug 2018 15:56:11 -0400
Received: from localhost (unknown [IPv6:2600:3c01:e000:21:21:21:0:100b])
 (Authenticated sender: vagrant@cascadia.debian.net)
 by cascadia.aikidev.net (Postfix) with ESMTPSA id 1AC901A9C3
 for <22883@debbugs.gnu.org>; Tue, 28 Aug 2018 12:56:05 -0700 (PDT)
From: Vagrant Cascadian <vagrant@debian.org>
To: 22883@debbugs.gnu.org
Subject: Trustable "guix pull"
Date: Tue, 28 Aug 2018 12:56:02 -0700
Message-ID: <87tvnemfjh.fsf@aikidev.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 22883
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

[Message part 1 (text/plain, inline)]
This isn't exactly pretty, and obviously a better long-term solution is
needed, but I wrote a quick shell script to at least partially addresses
some my biggest fears with guix pull...

Basically, it updates a git checkout, checks the signatures on the
commits, looking for the topmost signed commit by a key in a specific
keyring, and then runs guix pull with that commit.


It relies on a custom gpg directory and assumes any of the keys in the
keyring are valid potential signers of the commits; the web of trust is
essentially ignored.

I really don't like having a custom GNUPGHOME, but I didn't see any
other obvious way to pass arguments to git to use a custom keyring. I
populated this GNUPGHOME with keys from:

  https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1

And then ran gpg --refresh-keys on it, as several keys were
outdated/expired.

(an alternative approach to populate the keyring might be:
https://gitlab.com/Efraim/guix-keyring)


It also assumes a git checkout where "git pull" pulls from the correct
repository.

It assumes guix --version returns a valid git hash, so would require
some more tweaks to get it working from a fresh guix install.

All those caveats aside, it seems to work well enough for me, and
writing this email took longer than writing the script. :)


live well,
  vagrant


#!/bin/sh

set -x
set -e
workdir=/home/vagrant/src/guix
export GNUPGHOME=$workdir/verified-pull/gnupg
cd $workdir
git pull
guixversion=$(guix --version | awk '/^guix/{print $4}')

commits=$(git log ${guixversion}.. --pretty='format:%G?,%H')

# · %G?: show
# "G" for a good (valid) signature,
# "B" for a bad · %signature,
# "U" for a good signature with unknown validity,
# "X" for a good · %signature that has expired,
# "Y" for a good signature made by an expired · %key,
# "R" for a good signature made by a revoked key,
# "E" if the · %signature cannot be checked (e.g. missing key) and
# "N" for no signature

for commitlog in $commits ; do
    commitverify=$(echo $commitlog | cut -d , -f 1)
    commit=$(echo $commitlog | cut -d , -f 2)
    case $commitverify in
	G|U) git verify-commit $commit && \
		   guix pull --url=file://$workdir --commit=$commit && \
		   exit 0 ;;
    esac
done

echo unable to find signed commit
exit 1

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:21:47 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.