From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#22883: Trustable "guix pull" Date: Sun, 05 Jun 2016 00:27:27 +0200 Message-ID: <874m98vbcg.fsf@gnu.org> References: <87io14sqoa.fsf@dustycloud.org> <87fustj59o.fsf@wheatstone.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52485) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b9K43-0000tR-Jn for bug-guix@gnu.org; Sat, 04 Jun 2016 18:29:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b9K3y-0000xg-MC for bug-guix@gnu.org; Sat, 04 Jun 2016 18:29:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:42367) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b9K3y-0000xc-Ii for bug-guix@gnu.org; Sat, 04 Jun 2016 18:29:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87fustj59o.fsf@wheatstone.g10code.de> (Werner Koch's message of "Sat, 04 Jun 2016 18:19:31 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Werner Koch Cc: 22883@debbugs.gnu.org, Justus Winter , neal@walfield.org Hi Werner, Werner Koch skribis: > I would indeed suggest to use gpgv (or gpgv2, but I hope Guix has alread > moved to name gpg2 gpg) We have a policy to respect what upstream does because in general we cannot or shouldn=E2=80=99t try to guess what=E2=80=99s =E2=80=9Cbest=E2=80= =9D, IMO. So in this case, we keep the default names, =E2=80=98gpg2=E2=80=99 and =E2=80=98gpgv2=E2=80= =99. Do you think we should rename those files? > because we once wrote it for Debian. It has the simplest semantics > and thus best fits your purpose. We use it in GnuPG itself for the > speedo build system; it is sufficent to run this simple script: > > --8<---------------cut here---------------start------------->8--- > if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then > echo "list of software versions is not valid!" >&2 > exit 1 > fi > --8<---------------cut here---------------end--------------->8--- OK. The problem I mentioned is that git expects to invoke =E2=80=98gpg=E2=80=99= , not =E2=80=98gpgv=E2=80=99, and it does not provide a way to pass a different argument list: https://github.com/git/git/blob/master/gpg-interface.c#L213 > In all other context I would suggest the use of GPGME to verify > signatures, because GPGME also evaluates the trust and all the status > line gpg spits out. > > There are no issues with l10n because _all_ scripts SHOULD use gpg with > the options --status-fd and --with-colons. That output creates a well > defined API and we try very hard never to break it. I=E2=80=99m aware of it, but unfortunately, git invokes gpg on the user=E2= =80=99s behalf, and all it gives is the human-readable, l10n=E2=80=99d output: --8<---------------cut here---------------start------------->8--- $ LANGUAGE=3Dfr_FR git log --pretty=3D"format:%H %GG" HEAD |head -4 40d71e44f5068b28f48bd131940260cc0ab2e2d1 gpg: Signature faite le Sun 05 Jun= 2016 12:05:39 AM CEST avec la clef RSA d'identifiant 3D9AEBB5 gpg: Bonne signature de =C2=AB=C2=A0Ludovic Court=C3=A8s =C2= =A0=C2=BB [totale] gpg: alias =C2=AB=C2=A0Ludovic Court=C3=A8s =C2=A0=C2=BB [totale] gpg: alias =C2=AB=C2=A0Ludovic Court=C3=A8s (Inria) =C2=A0=C2=BB [totale] --8<---------------cut here---------------end--------------->8--- (Internally it does use =E2=80=98--status-fd=E2=80=99 but that doesn=E2=80= =99t help us as users.) > Mike Gerwitz's article is a bit long read right now. I have never > looked into git to check whether git correctly calls gpg to verify > signatures. That should eventually be done. And yes, please sign your > commits (I use an Ed25519 key stored on a Gnuk token; which works very > well). We sign commits and it=E2=80=99s wonderful; now all we need is tools to act= ually use those signatures to authenticate checkouts. :-) Thanks for taking the time to comment! Ludo=E2=80=99.