From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Subject: bug#22883: Authenticating a Git checkout
Date: Tue, 24 Oct 2017 16:30:02 -0700
Message-ID: <87bmkwm8ed.fsf@gnu.org>
References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org>
	<20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org>
	<87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53558)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e78f3-0006ES-DB
	for bug-guix@gnu.org; Tue, 24 Oct 2017 19:31:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e78f0-0000tW-9z
	for bug-guix@gnu.org; Tue, 24 Oct 2017 19:31:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:51725)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1e78f0-0000tG-5p
	for bug-guix@gnu.org; Tue, 24 Oct 2017 19:31:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.22883.B22883.150888780829701@debbugs.gnu.org>
In-Reply-To: <87wpket748.fsf@gnu.org> ("Ludovic
	\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
	\=\?utf-8\?Q\?s\?\= message of "Fri, 22 Jul 2016 10:22:15 +0200")
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 22883@debbugs.gnu.org

Hello,

Just a note for later=E2=80=A6

ludo@gnu.org (Ludovic Court=C3=A8s) skribis:

> With the quick-hack libgit2 bindings attached, I can run this program,
> which authenticates HEAD:

[...]

> So I think we can go from here.  Our repo would contain a Scheme list of
> authorized OpenPGP fingerprints, and we=E2=80=99d check whether the finge=
rprint
> that shows up in =E2=80=98valid-signature=E2=80=99 above is among them

Storing the list of authorized keys in a file in the repo is
inconvenient: simply to retrieve it, you=E2=80=99d need to make a checkout.=
  So
for each commit we verify, we have to check out the whole repo, which is
inefficient.

While reading
<http://karl.kornel.us/2017/10/welp-there-go-my-git-signatures/>, I
realized we could store in empty Git commit messages, which would
address the above problem (we could use a custom object type too, but
that would be less convenient.)

So the special commit could look like:

  Authorization

  (commit-authorizations
    (authorization-commit (KEY1 KEY2 =E2=80=A6))
    (files ("hydra.gnu.org.pub") (KEY1 KEY2 =E2=80=A6))
    (files _ (KEY1 KEY2 =E2=80=A6))) ;all other files

That way, to authenticate a commit, we first fetch the latest
authorization commit, read the authorization rules from there, and make
sure that the changes it makes match the rules.

Thoughts?

Ludo=E2=80=99.