From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jakub =?UTF-8?Q?K=C4=85dzio=C5=82ka?= Subject: bug#22883: Authenticating Git checkouts: step #1 Date: Tue, 31 Dec 2019 20:16:39 +0100 Message-ID: <20191231191639.s2o4ycysloj4kwb5@zdrowyportier.kadziolka.net> References: <87io14sqoa.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:48465) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1imN0p-0001I7-OD for bug-guix@gnu.org; Tue, 31 Dec 2019 14:17:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1imN0o-0005ij-FS for bug-guix@gnu.org; Tue, 31 Dec 2019 14:17:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:57382) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1imN0o-0005hh-7E for bug-guix@gnu.org; Tue, 31 Dec 2019 14:17:02 -0500 In-Reply-To: <87io14sqoa.fsf@dustycloud.org> Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 22883@debbugs.gnu.org Hi Guix! Ludovic Courtès wrote: > --8<---------------cut here---------------start------------->8--- > If you want to hack Guix itself, it is recommended to use the latest > version from the Git repository: > > git clone https://git.savannah.gnu.org/git/guix.git > > How do you ensure that you obtained a genuine copy of the repository? > Guix itself provides a tool to “authenticate” your checkout, but you > must first make sure this tool is genuine in order to “bootstrap” the > trust chain. To do that, run: > > git verify-commit `git log --format=%H build-aux/git-authenticate.scm` > > The output must look something like: > > gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET > gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 > ... > gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET > gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 > ... > > ... meaning that changes to this file are all signed with key > ‘3CE464558A84FDC69DB40CFB090B11993D9AEBB5’ (you may need to fetch this > key from a key server, if you have not done it yet). > > From there on, you can authenticate all the commits included in your > checkout by running: > > make authenticate > > The first run takes a couple of minutes, but subsequent runs are > faster. > > Note: You are advised to run ‘make authenticate’ after every ‘git > pull’ invocation. This ensures you keep receiving valid changes to > the repository > --8<---------------cut here---------------end--------------->8--- Sadly, these instructions don't work from a fresh clone. There is only Makefile.am and no Makefile itself, so you get $ make authenticate make: *** No rule to make target 'authenticate'. Stop. Moreover, I don't think running 'make authenticate' after 'git pull' would really work -- after you pulled, git-authenticate could've been modified, so the verify-commit you did earlier doesn't apply anymore. There's also the issue of trusting pre-inst-env, which is used to run the verification. Should that be passed to 'git log --format=%H' next to git-authenticate.scm? This also applies to any scripts you use to drive this process, like the Makefile. Regards, Kuba