#22883 Trustable "guix pull"

Message #174 received at 22883@debbugs.gnu.org (full text, mbox, reply):

Received: (at 22883) by debbugs.gnu.org; 29 Dec 2019 07:35:12 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Dec 29 02:35:12 2019
Received: from localhost ([127.0.0.1]:59192 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ilT6V-0001Nh-MM
	for submit@debbugs.gnu.org; Sun, 29 Dec 2019 02:35:12 -0500
Received: from flashner.co.il ([178.62.234.194]:40344)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <efraim@flashner.co.il>) id 1ilT6U-0001NI-8e
 for 22883@debbugs.gnu.org; Sun, 29 Dec 2019 02:35:10 -0500
Received: from localhost (unknown [141.226.13.108])
 by flashner.co.il (Postfix) with ESMTPSA id 5F82340231;
 Sun, 29 Dec 2019 07:35:03 +0000 (UTC)
Date: Sun, 29 Dec 2019 09:34:32 +0200
From: Efraim Flashner <efraim@flashner.co.il>
To: Vagrant Cascadian <vagrant@debian.org>
Subject: Re: bug#22883: Authenticating Git checkouts: step #1
Message-ID: <20191229073432.GY23018@E5400>
References: <87io14sqoa.fsf@dustycloud.org> <87tvnemfjh.fsf@aikidev.net>
 <871sab7ull.fsf@gnu.org> <87zhwz6ct4.fsf@aikidev.net>
 <877ek364u5.fsf@gnu.org> <87mubmodfb.fsf_-_@gnu.org>
 <87eewqgc1v.fsf@gnu.org> <87o8vto5rl.fsf@elephly.net>
 <87a77bzw6p.fsf@yucca>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="YPOU9eFKIy6Wf5kE"
Content-Disposition: inline
In-Reply-To: <87a77bzw6p.fsf@yucca>
X-PGP-Key-ID: 0x41AAE7DCCA3D8351
X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc
X-PGP-Fingerprint: A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 22883
Cc: Ricardo Wurmus <rekado@elephly.net>, 22883@debbugs.gnu.org,
 Ludovic Courtès <ludo@gnu.org>, guix-devel@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

[Message part 1 (text/plain, inline)]

On Sat, Dec 28, 2019 at 06:45:34PM -0800, Vagrant Cascadian wrote:
> On 2019-12-27, Ricardo Wurmus wrote:
> >>   b3011dbbd2 doc: Mention "make authenticate".
> >>   787766ed1e git-authenticate: Keep a local cache of previously-authenticated commits.
> >>   785af04a75 git: 'commit-difference' takes a list of excluded commits.
> >>   1e43ab2c03 Add 'build-aux/git-authenticate.scm'.
> >>
> >> Commit 787766ed1e takes care of caching (one of the limitations I
> >> mentioned in my previous message).
> >>
> >> Commit b3011dbbd2 adds instructions for contributors on how to
> >> authenticate a checkout (copied below).  It’s a bit bumpy so I would
> >> very much welcome feedback and suggestions on how to improve this!
> >
> > This is great!
> 
> Yes! Yes!
> 
> 
> > Thank you for the instructions.  I thought I had all keys, but
> > apparently at least one of them is missing.  “make authenticate” fails
> > for me with this error:
> >
> > Throw to key `srfi-34' with args `(#<condition &message [message: "could not authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key B943509D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'.
> >
> > I previously downloaded the gpg keyring from Savannah:
> >
> >     https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix
> >
> > Looks like Hartmut used to use a different key, which I don’t have.
> 
> I got this too, and manually worked around it by downloading
> guix-keyring.gpg from:
> 
>   https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1
> 
> And running:
> 
>   gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/guix.kbx --import ~/guix-keyring.gpg
> 

Thanks for the hint. I started with importing the keyring into my normal
keyring but I see now we have another keyring for this specifically.

(another being the user default, ~/.config/guix/upstream/trustedkeys.kbx
and now this one)

> It seems to be working now... how is the keyring *supposed* to be
> populated? Before I manually imported guix-keyring.gpg into guix.kbx,
> there were a very small number of keys present.
> 
> 
> It's a little awkward that it uses the fingerprint of the signing key
> rather than the primary key, as by default things like "gpg --list-keys"
> do not display the fingerprint of signing keys, only the primary key, so
> it is an adventure in gpg commandline options to correlate them.
> 
> "gpg log --show-signature" also reports the the primary key fingerprint,
> if the key is available in the keyring, and only the subkey fingerprint
> for unknown keys if I remember correctly.
> 
> It would be nice if the statistics would display the primary uid
> instead, as it is something a little more human readable, and the
> primary key fingerprint, as it is a little easier to find. :)
> 
> 
> I'm hoping the eventual goal is to integrate this into guix pull?
> 
> 
> Very nice to see progress on this issue!
> 
> 
> live well,
>   vagrant



-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.