From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id SPF3NeSz3l6rbgAA0tVLHw (envelope-from ) for ; Mon, 08 Jun 2020 21:55:48 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id MC5IMeSz3l7TCgAAbx9fmQ (envelope-from ) for ; Mon, 08 Jun 2020 21:55:48 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8E967940145 for ; Mon, 8 Jun 2020 21:55:48 +0000 (UTC) Received: from localhost ([::1]:45894 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jiPkB-00056S-Ex for larch@yhetil.org; Mon, 08 Jun 2020 17:55:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50366) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jiPjX-0004ZY-0n for bug-guix@gnu.org; Mon, 08 Jun 2020 17:55:07 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:46571) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jiPjW-0008Co-8S for bug-guix@gnu.org; Mon, 08 Jun 2020 17:55:06 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jiPjW-0006XO-7B; Mon, 08 Jun 2020 17:55:06 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#22883: [PATCH 8/9] pull: Add '--disable-authentication'. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 08 Jun 2020 21:55:06 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22883 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 22883@debbugs.gnu.org Received: via spool by 22883-submit@debbugs.gnu.org id=B22883.159165329925040 (code B ref 22883); Mon, 08 Jun 2020 21:55:06 +0000 Received: (at 22883) by debbugs.gnu.org; 8 Jun 2020 21:54:59 +0000 Received: from localhost ([127.0.0.1]:58106 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jiPjO-0006Vi-IX for submit@debbugs.gnu.org; Mon, 08 Jun 2020 17:54:58 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42200) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jiPjL-0006UI-My for 22883@debbugs.gnu.org; Mon, 08 Jun 2020 17:54:56 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:57664) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jiPjG-00083K-DQ; Mon, 08 Jun 2020 17:54:50 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56818 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jiPjF-0007OP-LI; Mon, 08 Jun 2020 17:54:50 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Mon, 8 Jun 2020 23:54:14 +0200 Message-Id: <20200608215415.2871-8-ludo@gnu.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200608215415.2871-1-ludo@gnu.org> References: <20200608215415.2871-1-ludo@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Spam-Score: 3.99 X-TUID: 0WHUYrRMcMi1 * guix/channels.scm (latest-channel-instance): Add #:authenticate? and honor it. (latest-channel-instances): Likewise. * guix/scripts/pull.scm (%default-options): Add 'authenticate-channels?'. (show-help, %options): Add '--disable-authentication'. (guix-pull): Pass #:authenticate? to 'latest-channel-instances'. * doc/guix.texi (Invoking guix pull): Document it. --- doc/guix.texi | 14 ++++++++++++++ guix/channels.scm | 25 +++++++++++++++++-------- guix/scripts/pull.scm | 14 ++++++++++++-- 3 files changed, 43 insertions(+), 10 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 6fcb47970b..8131b3bf0d 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -3927,6 +3927,20 @@ Make sure you understand its security implications before using @option{--allow-downgrades}. @end quotation +@item --disable-authentication +Allow pulling channel code without authenticating it. + +@cindex authentication, of channel code +By default, @command{guix pull} authenticates code downloaded from +channels by verifying that its commits are signed by authorized +developers, and raises an error if this is not the case. This option +instructs it to not perform any such verification. + +@quotation Note +Make sure you understand its security implications before using +@option{--disable-authentication}. +@end quotation + @item --system=@var{system} @itemx -s @var{system} Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of diff --git a/guix/channels.scm b/guix/channels.scm index 43ddff6f7c..9e6adda5e9 100644 --- a/guix/channels.scm +++ b/guix/channels.scm @@ -391,11 +391,12 @@ commits ~a to ~a (~h new commits)...~%") (define* (latest-channel-instance store channel #:key (patches %patches) starting-commit + (authenticate? #f) (validate-pull ensure-forward-channel-update)) "Return the latest channel instance for CHANNEL. When STARTING-COMMIT is true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and -their relation." +their relation. When AUTHENTICATE? is false, CHANNEL is not authenticated." (define (dot-git? file stat) (and (string=? (basename file) ".git") (eq? 'directory (stat:type stat)))) @@ -409,13 +410,15 @@ their relation." (when relation (validate-pull channel starting-commit commit relation)) - (if (channel-introduction channel) - (authenticate-channel channel checkout commit) - ;; TODO: Warn for all the channels once the authentication interface - ;; is public. - (when (guix-channel? channel) - (warning (G_ "the code of channel '~a' cannot be authenticated~%") - (channel-name channel)))) + (if authenticate? + (if (channel-introduction channel) + (authenticate-channel channel checkout commit) + ;; TODO: Warn for all the channels once the authentication interface + ;; is public. + (when (guix-channel? channel) + (warning (G_ "the code of channel '~a' cannot be authenticated~%") + (channel-name channel)))) + (warning (G_ "channel authentication disabled~%"))) (when (guix-channel? channel) ;; Apply the relevant subset of PATCHES directly in CHECKOUT. This is @@ -463,11 +466,15 @@ allow non-forward updates.")))))))))) (define* (latest-channel-instances store channels #:key (current-channels '()) + (authenticate? #t) (validate-pull ensure-forward-channel-update)) "Return a list of channel instances corresponding to the latest checkouts of CHANNELS and the channels on which they depend. +When AUTHENTICATE? is true, authenticate the subset of CHANNELS that has a +\"channel introduction\". + CURRENT-CHANNELS is the list of currently used channels. It is compared against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called for each channel update and can choose to emit warnings or raise an error, @@ -505,6 +512,8 @@ depending on the policy it implements." (let* ((current (current-commit (channel-name channel))) (instance (latest-channel-instance store channel + #:authenticate? + authenticate? #:validate-pull validate-pull #:starting-commit diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index d3d0d2bd64..f953957161 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -82,6 +82,7 @@ (graft? . #t) (debug . 0) (verbosity . 1) + (authenticate-channels? . #t) (validate-pull . ,ensure-forward-channel-update))) (define (show-help) @@ -97,6 +98,9 @@ Download and deploy the latest version of Guix.\n")) --branch=BRANCH download the tip of the specified BRANCH")) (display (G_ " --allow-downgrades allow downgrades to earlier channel revisions")) + (display (G_ " + --disable-authentication + disable channel authentication")) (display (G_ " -N, --news display news compared to the previous generation")) (display (G_ " @@ -165,6 +169,9 @@ Download and deploy the latest version of Guix.\n")) (lambda (opt name arg result) (alist-cons 'validate-pull warn-about-backward-updates result))) + (option '("disable-authentication") #f #f + (lambda (opt name arg result) + (alist-cons 'authenticate-channels? #f result))) (option '(#\p "profile") #t #f (lambda (opt name arg result) (alist-cons 'profile (canonicalize-profile arg) @@ -771,7 +778,8 @@ Use '~/.config/guix/channels.scm' instead.")) (channels (channel-list opts)) (profile (or (assoc-ref opts 'profile) %current-profile)) (current-channels (profile-channels profile)) - (validate-pull (assoc-ref opts 'validate-pull))) + (validate-pull (assoc-ref opts 'validate-pull)) + (authenticate? (assoc-ref opts 'authenticate-channels?))) (cond ((assoc-ref opts 'query) (process-query opts profile)) ((assoc-ref opts 'generation) @@ -793,7 +801,9 @@ Use '~/.config/guix/channels.scm' instead.")) #:current-channels current-channels #:validate-pull - validate-pull))) + validate-pull + #:authenticate? + authenticate?))) (format (current-error-port) (N_ "Building from this channel:~%" "Building from these channels:~%" -- 2.26.2