From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
Subject: bug#22883: Authenticating a Git checkout
Date: Fri, 03 Jun 2016 18:12:47 +0200
Message-ID: <87bn3iz1xc.fsf_-_@gnu.org>
References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org>
	<20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51134)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b8rja-0004d6-Dc
	for bug-guix@gnu.org; Fri, 03 Jun 2016 12:14:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b8rjW-00061o-4w
	for bug-guix@gnu.org; Fri, 03 Jun 2016 12:14:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:41095)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b8rjW-00061k-1b
	for bug-guix@gnu.org; Fri, 03 Jun 2016 12:14:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.22883.B22883.14649704104878@debbugs.gnu.org>
In-Reply-To: <874majg0z8.fsf@gnu.org> (Mike Gerwitz's message of "Sat, 30 Apr
	2016 00:43:55 -0400")
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 22883@debbugs.gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello!

So we sign Git commits, and now we want to authenticate Git checkouts.
There=E2=80=99s a series of bad news.

First, =E2=80=98git pull=E2=80=99 doesn=E2=80=99t do it for you, you have t=
o pass =E2=80=98--verify=E2=80=99 and
there=E2=80=99s no way to set it globally.

Second, even if it did, it would be a shallow check: as Mike notes in
<https://mikegerwitz.com/papers/git-horror-story> with the =E2=80=98signchk=
=E2=80=99
script, you actually have to traverse the whole commit history and
authenticate them one by one.  But that=E2=80=99s OK, it runs in presumably=
 less
than a minute on a repo the size of Guix=E2=80=99s, and we could also stop =
at
signed tags to avoid redundant checks.

Third, as I wrote before=C2=B9, relying on the OpenPGP web of trust to
determine whether a commit is =E2=80=9Cvalid=E2=80=9D is inappropriate: wha=
t we want to
know is whether a commit was made by an authorized person, not whether
it was made by someone who happens to have an OpenPGP key directly or
indirectly certified.  IOW, we want to know whether the key used to sign
the commit is among the authorized developer keys.

Fourth, there=E2=80=99s inversion of control: =E2=80=98git log=E2=80=99 & c=
o. call out to =E2=80=98gpg=E2=80=99,
so if we want to do something different than just =E2=80=98gpg --verify=E2=
=80=99, we
have to put some other =E2=80=98gpg=E2=80=99 script in $PATH.  Blech.

Fifth, even if we did that, we=E2=80=99d be stuck parsing the possibly l10n=
=E2=80=99d
output of =E2=80=98gpg=E2=80=99.  Pretty fragile.

Sixth, OK, we=E2=80=99ll use libgit2, and write Guile bindings, maybe based=
 on
the CHICKEN bindings=C2=B2, easy!  Well no, it turns out that libgit2=C2=B3=
 has no
support for signed commits (the =E2=80=98signature=E2=80=99 abstraction the=
re has
nothing to do with OpenPGP signatures.)

Seventh, even if it did, what would we do with the raw ASCII-armored
OpenPGP signature?  GPG and GPGME are waaaay too high-level, so we=E2=80=99d
need to implement OpenPGP (in Guile, maybe based on the OpenPGP library
in Bigloo?)?!


I hope I=E2=80=99m just being negative and I missed an obvious solution or =
made
wrong hypotheses.  Please tell me!  :-)


I stumbled upon git-lockup=E2=81=B4, which uses something other than OpenPG=
P to
sign objects in Git.  However, signatures are not stored in commits but
rather in =E2=80=9Cgit notes=E2=80=9D, which, IIUC, are mutable objects det=
ached from
the rest of the object store, so not great.

Cheers,
Ludo=E2=80=99.

=C2=B9 http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D22883#40
=C2=B2 http://wiki.call-cc.org/eggref/4/git
=C2=B3 https://libgit2.github.com/libgit2/
=E2=81=B4 https://github.com/warner/git-lockup

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXUayHAAoJEAkLEZk9muu1e14P/j2LKePXrTqc2H9PD9BcDs5P
vu2edfTBqTJLwfi4M02UTt8nsYmK7uzpREA6W2+EI1ZkUeKVtlW5uOmZ4CrDwvEg
Yu9p/FqHR/YGznzLkwk5E1cba6kvEq3kHq6vrn/Yy7OkwGak119wnUaad9WPsPYu
TTcVQJBM6vIWHE7kESMG3O5nuc5U7MfuBrnV2D0PsNF8bDRmL8pSO3y5IWtBOOiT
x8f/mi62kz/UlGOfewnRrlgKWN+87uwZ6/PldypDLjrKAVoh1h3ErdHNvzgXB3eH
bcxXn4Uog6FF/3dcJFRPvngCt+kOQatT2L7VwsfB8Ou9TEaTqR2psNLPR3+HzKtU
sJ9ZNtk5sMQIQ8pw2l92/LV/b9smr3TpW9+SSNMO/GRHzudqsSpwI197d0YQIYtj
Y8YBk/FP90D7QHjNCOPdAGIuO1LQf8wRunZIV7ninXu1OlXcnPYkJaC9Z/EEWMhj
Ol43bz7vneMr7DVrx9HMhyd399rbTDQ6h6VDMjamW0728FCwAd/RHge/Eh+WR5Mq
4xXgq7ANyD3UblxUQSzw1usWtADfLFABvM5M/XUANDCypmu6VTj5qYkwIZ1OaRKp
1jvt3IOgHsXQsSiN7zTPIShrVdsVfS3zej4tSr8wPflucLFVcUVd83SUqoYNsmvG
SwqdpkzrOybIUMO4Hjht
=besN
-----END PGP SIGNATURE-----
--=-=-=--