bug#22883: Trustable "guix pull"

[ludo@gnu.org (Ludovic Courtès)]

Hi Werner,

Werner Koch <wk@gnupg.org> skribis:

> I would indeed suggest to use gpgv (or gpgv2, but I hope Guix has alread
> moved to name gpg2 gpg)

We have a policy to respect what upstream does because in general we
cannot or shouldn’t try to guess what’s “best”, IMO.  So in this case,
we keep the default names, ‘gpg2’ and ‘gpgv2’.

Do you think we should rename those files?

> because we once wrote it for Debian.  It has the simplest semantics
> and thus best fits your purpose.  We use it in GnuPG itself for the
> speedo build system; it is sufficent to run this simple script:
>
> --8<---------------cut here---------------start------------->8---
>   if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
>     echo "list of software versions is not valid!" >&2
>     exit 1
>   fi
> --8<---------------cut here---------------end--------------->8---

OK.

The problem I mentioned is that git expects to invoke ‘gpg’, not ‘gpgv’,
and it does not provide a way to pass a different argument list:

  https://github.com/git/git/blob/master/gpg-interface.c#L213

> In all other context I would suggest the use of GPGME to verify
> signatures, because GPGME also evaluates the trust and all the status
> line gpg spits out.
>
> There are no issues with l10n because _all_ scripts SHOULD use gpg with
> the options --status-fd and --with-colons.  That output creates a well
> defined API and we try very hard never to break it.

I’m aware of it, but unfortunately, git invokes gpg on the user’s
behalf, and all it gives is the human-readable, l10n’d output:

--8<---------------cut here---------------start------------->8---
$ LANGUAGE=fr_FR git log  --pretty="format:%H %GG" HEAD |head -4
40d71e44f5068b28f48bd131940260cc0ab2e2d1 gpg: Signature faite le Sun 05 Jun 2016 12:05:39 AM CEST avec la clef RSA d'identifiant 3D9AEBB5
gpg: Bonne signature de « Ludovic Courtès <ludo@gnu.org> » [totale]
gpg:                 alias « Ludovic Courtès <ludo@chbouib.org> » [totale]
gpg:                 alias « Ludovic Courtès (Inria) <ludovic.courtes@inria.fr> » [totale]
--8<---------------cut here---------------end--------------->8---

(Internally it does use ‘--status-fd’ but that doesn’t help us as
users.)

> Mike Gerwitz's article is a bit long read right now.  I have never
> looked into git to check whether git correctly calls gpg to verify
> signatures.  That should eventually be done.  And yes, please sign your
> commits (I use an Ed25519 key stored on a Gnuk token; which works very
> well).

We sign commits and it’s wonderful; now all we need is tools to actually
use those signatures to authenticate checkouts.  :-)

Thanks for taking the time to comment!

Ludo’.