From mboxrd@z Thu Jan  1 00:00:00 1970
From: Vagrant Cascadian <vagrant@debian.org>
Subject: bug#22883: Authenticating Git checkouts: step #1
Date: Sat, 28 Dec 2019 18:45:34 -0800
Message-ID: <87a77bzw6p.fsf__12272.546701$1577587605$gmane$org@yucca>
References: <87io14sqoa.fsf@dustycloud.org> <87tvnemfjh.fsf@aikidev.net>
 <871sab7ull.fsf@gnu.org> <87zhwz6ct4.fsf@aikidev.net>
 <877ek364u5.fsf@gnu.org> <87mubmodfb.fsf_-_@gnu.org> <87eewqgc1v.fsf@gnu.org>
 <87o8vto5rl.fsf@elephly.net>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:39114)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ilOaj-0005Bk-Ps
 for bug-guix@gnu.org; Sat, 28 Dec 2019 21:46:06 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1ilOah-0000eN-BD
 for bug-guix@gnu.org; Sat, 28 Dec 2019 21:46:05 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:53155)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1ilOag-0000dx-1s
 for bug-guix@gnu.org; Sat, 28 Dec 2019 21:46:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.22883.B22883.157758754910053@debbugs.gnu.org>
In-Reply-To: <87o8vto5rl.fsf@elephly.net>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Ricardo Wurmus <rekado@elephly.net>, Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 22883@debbugs.gnu.org, guix-devel@gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 2019-12-27, Ricardo Wurmus wrote:
>>   b3011dbbd2 doc: Mention "make authenticate".
>>   787766ed1e git-authenticate: Keep a local cache of previously-authenti=
cated commits.
>>   785af04a75 git: 'commit-difference' takes a list of excluded commits.
>>   1e43ab2c03 Add 'build-aux/git-authenticate.scm'.
>>
>> Commit 787766ed1e takes care of caching (one of the limitations I
>> mentioned in my previous message).
>>
>> Commit b3011dbbd2 adds instructions for contributors on how to
>> authenticate a checkout (copied below).  It=E2=80=99s a bit bumpy so I w=
ould
>> very much welcome feedback and suggestions on how to improve this!
>
> This is great!

Yes! Yes!


> Thank you for the instructions.  I thought I had all keys, but
> apparently at least one of them is missing.  =E2=80=9Cmake authenticate=
=E2=80=9D fails
> for me with this error:
>
> Throw to key `srfi-34' with args `(#<condition &message [message: "could =
not authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key B9435=
09D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'.
>
> I previously downloaded the gpg keyring from Savannah:
>
>     https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix
>
> Looks like Hartmut used to use a different key, which I don=E2=80=99t hav=
e.

I got this too, and manually worked around it by downloading
guix-keyring.gpg from:

  https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix&down=
load=3D1

And running:

  gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/guix.=
kbx --import ~/guix-keyring.gpg

It seems to be working now... how is the keyring *supposed* to be
populated? Before I manually imported guix-keyring.gpg into guix.kbx,
there were a very small number of keys present.


It's a little awkward that it uses the fingerprint of the signing key
rather than the primary key, as by default things like "gpg --list-keys"
do not display the fingerprint of signing keys, only the primary key, so
it is an adventure in gpg commandline options to correlate them.

"gpg log --show-signature" also reports the the primary key fingerprint,
if the key is available in the keyring, and only the subkey fingerprint
for unknown keys if I remember correctly.

It would be nice if the statistics would display the primary uid
instead, as it is something a little more human readable, and the
primary key fingerprint, as it is a little easier to find. :)


I'm hoping the eventual goal is to integrate this into guix pull?


Very nice to see progress on this issue!


live well,
  vagrant

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCXggTTgAKCRDcUY/If5cW
qrIgAQCYAiX3kvfC2ArneJQIxY9cVyHAj37e09R2Tj7kCG6HngEApLr9wyBNN7ov
03cuGuSfLjJgYM9vkRSuoD8qIYqeVwo=
=/KWb
-----END PGP SIGNATURE-----
--=-=-=--