From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id aLYIMxDwql6nPQAA0tVLHw (envelope-from ) for ; Thu, 30 Apr 2020 15:34:40 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id QPoNFxrwql7kYQAAbx9fmQ (envelope-from ) for ; Thu, 30 Apr 2020 15:34:50 +0000 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3C721940AFD for ; Thu, 30 Apr 2020 15:34:48 +0000 (UTC) Received: from localhost ([::1]:38374 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUBD4-0008NW-Pn for larch@yhetil.org; Thu, 30 Apr 2020 11:34:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42044) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUBCR-0008LU-Cb for bug-guix@gnu.org; Thu, 30 Apr 2020 11:34:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jUBBO-0004y6-9m for bug-guix@gnu.org; Thu, 30 Apr 2020 11:34:07 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:35954) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jUBBN-0004y1-Tl for bug-guix@gnu.org; Thu, 30 Apr 2020 11:33:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jUBBN-0007DD-PW; Thu, 30 Apr 2020 11:33:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#22883: Authenticating a Git checkout Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 30 Apr 2020 15:33:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22883 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ricardo Wurmus Received: via spool by 22883-submit@debbugs.gnu.org id=B22883.158826075127685 (code B ref 22883); Thu, 30 Apr 2020 15:33:01 +0000 Received: (at 22883) by debbugs.gnu.org; 30 Apr 2020 15:32:31 +0000 Received: from localhost ([127.0.0.1]:47500 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jUBAs-0007CT-Qv for submit@debbugs.gnu.org; Thu, 30 Apr 2020 11:32:31 -0400 Received: from eggs.gnu.org ([209.51.188.92]:38908) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jUBAq-0007CD-TW for 22883@debbugs.gnu.org; Thu, 30 Apr 2020 11:32:29 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51649) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUBAk-0004uH-WD; Thu, 30 Apr 2020 11:32:23 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=34390 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jUBAk-00046s-7c; Thu, 30 Apr 2020 11:32:22 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org> <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org> <87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org> <87bmkwm8ed.fsf@gnu.org> <87png9o8i2.fsf@elephly.net> <87fth4bj6y.fsf@gnu.org> Date: Thu, 30 Apr 2020 17:32:19 +0200 In-Reply-To: <87fth4bj6y.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Sat, 28 Dec 2019 15:47:49 +0100") Message-ID: <87bln9oupo.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Received-From: 209.51.188.43 X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 22883@debbugs.gnu.org, Justus Winter Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 X-Spam-Score: 1.11 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Scan-Result: default: False [1.11 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.49412771741178]; MX_INVALID(1.00)[cached]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.17), country: US(-0.00), ip: 2001:470:142::17(-0.49)]; DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; MAILLIST(-0.20)[mailman]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; MIME_TRACE(0.00)[0:+]; R_MIXED_CHARSET(0.63)[subject]; ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US]; R_DKIM_NA(0.00)[]; TAGGED_FROM(0.00)[larch=yhetil.org]; ARC_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[ludo@gnu.org,bug-guix-bounces@gnu.org]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; URIBL_BLOCKED(0.00)[gnu.org:email]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[gnu.org]; HAS_LIST_UNSUB(-0.01)[]; DNSWL_BLOCKED(0.00)[2001:470:142::17:from]; RCVD_COUNT_SEVEN(0.00)[10]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: 1LaMqCmElH4v Hi there! Ludovic Court=C3=A8s skribis: >> You mentioned that checking signatures on commits is also kinda slow >> because it=E2=80=99s sequential and not cached. I don=E2=80=99t know wh= at I really >> want, but is there perhaps a way to aggregate signatures on past commits >> so that the client=E2=80=99s work is reduced=E2=80=A6? > > The caching implemented in 787766ed1e7f0806a98e696830542da528f957bb > makes things acceptable: the first =E2=80=9Cmake authenticate=E2=80=9D ru= n takes a bit > more than two minutes to check all the commits starting from =E2=80=98v1.= 0.1=E2=80=99, > but subsequent runs take a few seconds. > > I have plans to make things faster (independently of the cache) by doing > OpenPGP signature verification entirely in Scheme instead of spawning > =E2=80=98gpgv=E2=80=99 every time. Again, we=E2=80=99ll have to get a pr= ototype before we can > tell whether it actually is faster. I=E2=80=99ve been able to resume work on that in the =E2=80=98wip-openpgp= =E2=80=99 branch: 5a86b96f54 git-authenticate: Use (guix openpgp). 4e66563449 openpgp: Add 'string->openpgp-packet'. dc0b5d5e01 openpgp: 'lookup-key-by-{id,fingerprint}' return the key first. 740d804621 openpgp: 'verify-openpgp-signature' looks up by fingerprint wh= en possible. 0157c5ef7f openpgp: Add 'lookup-key-by-fingerprint'. 31fc7cf080 openpgp: Store the issuer key id and fingerprint in . c22bede3ce openpgp: Decode the issuer-fingerprint signature subpacket. 74d0d85e49 DRAFT Add (guix openpgp). At this stage, =E2=80=98make authenticate=E2=80=99 uses the pure-Scheme imp= lementation (based on G=C3=B6ran Weinholt=E2=80=99s code, heavily modified). It can au= thenticate 14K+ commits in ~20s instead of 4m20s on my laptop, which is really nice. Signature verification in (guix openpgp) does just that: signature verification. It does not validate signature and key metadata, in particular expiration date. I guess it should at least error out when a signature creation time is newer than its key expiration time. It should also reject SHA1 signatures, at least optionally (I haven=E2=80= =99t checked whether our Git history has any of these). I would very much welcome feedback and advice from an OpenPGP-savvy person (I=E2=80=99ve Cc=E2=80=99d one to maximize the chances of success :-= )). Next steps: =E2=80=A2 Clean up the (guix openpgp) API a bit, for instance by using pr= oper SRFI-35 error conditions. Perhaps handle v5 packets too. =E2=80=A2 Load the keyring from files in the repo, possibly in a dedicated branch. =E2=80=A2 Load the list of authorized keys from the parent of the commit = being authenticated. =E2=80=A2 Generalize that to channels. Ludo=E2=80=99.