From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#22883: Authenticating Git checkouts: step #1 Date: Fri, 27 Dec 2019 13:58:36 +0100 Message-ID: <87eewqgc1v.fsf__45860.5297071458$1577451559$gmane$org@gnu.org> References: <87io14sqoa.fsf@dustycloud.org> <87tvnemfjh.fsf@aikidev.net> <871sab7ull.fsf@gnu.org> <87zhwz6ct4.fsf@aikidev.net> <877ek364u5.fsf@gnu.org> <87mubmodfb.fsf_-_@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:51356) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ikpCp-0001k6-0S for bug-guix@gnu.org; Fri, 27 Dec 2019 07:59:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ikpCn-0007iS-PZ for bug-guix@gnu.org; Fri, 27 Dec 2019 07:59:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:50654) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ikpCn-0007i4-Ml for bug-guix@gnu.org; Fri, 27 Dec 2019 07:59:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87mubmodfb.fsf_-_@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\?\= \=\?utf-8\?Q\?\=22's\?\= message of "Fri, 20 Dec 2019 23:11:20 +0100") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 22883@debbugs.gnu.org Cc: Guix-devel --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Guix! Ludovic Court=C3=A8s skribis: > To begin with, I propose the attached script: when given a commit range, > it authenticates each commit, meaning that it ensures commits have a > valid signature and that that signature was made by one of the > authorized keys. Sample session: > > $ time ./pre-inst-env guile -e git-authenticate build-aux/git-authenticat= e.scm d68de958b60426798ed62797ff7c96c327a672ac 099ce5d4901706dc2c5be888a5c8= cbf8fcd0d576 > Authenticating d68de95 to 099ce5d (7938 commits)... > Signing statistics: > BCA689B636553801C3C62150197A5888235FACAC 1454 > 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 1025 > BBB02DDF2CEAF6A80D1DE643A2A06DF2A33A54FA 941 > > [...] > > real 2m21.272s > user 1m38.741s > sys 0m59.546s I=E2=80=99ve now committed this file: b3011dbbd2 doc: Mention "make authenticate". 787766ed1e git-authenticate: Keep a local cache of previously-authenticat= ed commits. 785af04a75 git: 'commit-difference' takes a list of excluded commits. 1e43ab2c03 Add 'build-aux/git-authenticate.scm'. Commit 787766ed1e takes care of caching (one of the limitations I mentioned in my previous message). Commit b3011dbbd2 adds instructions for contributors on how to authenticate a checkout (copied below). It=E2=80=99s a bit bumpy so I would very much welcome feedback and suggestions on how to improve this! Thanks in advance! Ludo=E2=80=99. =2D-8<---------------cut here---------------start------------->8--- If you want to hack Guix itself, it is recommended to use the latest version from the Git repository: git clone https://git.savannah.gnu.org/git/guix.git How do you ensure that you obtained a genuine copy of the repository? Guix itself provides a tool to =E2=80=9Cauthenticate=E2=80=9D your checkout= , but you must first make sure this tool is genuine in order to =E2=80=9Cbootstrap=E2= =80=9D the trust chain. To do that, run: git verify-commit `git log --format=3D%H build-aux/git-authenticate.sc= m` The output must look something like: gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9A= EBB5 ... gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9A= EBB5 ... ... meaning that changes to this file are all signed with key =E2=80=983CE464558A84FDC69DB40CFB090B11993D9AEBB5=E2=80=99 (you may need to= fetch this key from a key server, if you have not done it yet). From there on, you can authenticate all the commits included in your checkout by running: make authenticate The first run takes a couple of minutes, but subsequent runs are faster. Note: You are advised to run =E2=80=98make authenticate=E2=80=99 after= every =E2=80=98git pull=E2=80=99 invocation. This ensures you keep receiving valid chang= es to the repository =2D-8<---------------cut here---------------end--------------->8--- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEPORkVYqE/cadtAz7CQsRmT2a67UFAl4F//wACgkQCQsRmT2a 67WiVg/+NshLhNZOl+0kj5kOePRtM6tNRTFWVyik6Qob/jKQwwjghd9lYI/fmHUM gNrDsNJyzju4RefVHG5ifht7ukCFqlQPmcTvIXNzx5mJsXqe0TPvsr9kVQaDt/52 ED5XVRnzrB/xzEewsieLn0CvI6LBTlMGC/RdCKLkStHaOzXdjIhxJUuGfO6Ykj6z HfI5j6wJX59TyDryu9VfSFw124/mzjaCSucN1X7LBPmS4jvYk4SlE5tLxorL0R/V Ub/bw/5ZFgqxjtwRywWs/TpnKNyt2RLbm2BqS7crS9S9EfiZ0juDDllt7ZBGKAbe QkZBHFO/EM+jWClOcb2f8fYR8m2yw9jcXuoRdcJRlzrwO5+1oX5Tjgn0gOIdzulW Ws+objf1YtOaHpbrM+sRSrPmZ9TqfUqaWz3VKLPwZVUwsYBaqSakHFgYRz8WJF9H 0ER/5YveRUxOANSGBC6nWcVpKsYhp7sf/gLg9l+9lkIKttQFkJ9MF3svWrYnBIQo J+V/GfdNXSmYsxa/CqVyZIwuily3VXiw8wz4MdjXhSG0iGMIfV+dg/l253WN8tVL 3Rtqay6EBjqBjzy0UjcGNGwmt3arRB8B7OaeqxkaTnHgGwD0M9UIcsDS1lkeRJEk gVm9sPojR8j2H39hKXjLYWc9wa5wGcusUHPg001dNOPtbYZLf9I= =q+Ez -----END PGP SIGNATURE----- --=-=-=--