From mboxrd@z Thu Jan 1 00:00:00 1970 From: Werner Koch Subject: bug#22883: Trustable "guix pull" Date: Sat, 04 Jun 2016 18:19:31 +0200 Message-ID: <87fustj59o.fsf@wheatstone.g10code.de> References: <87io14sqoa.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU"; micalg=pgp-sha1; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34887) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b9EKt-0005Yo-Po for bug-guix@gnu.org; Sat, 04 Jun 2016 12:22:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b9EKn-0000hG-Rj for bug-guix@gnu.org; Sat, 04 Jun 2016 12:22:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:42208) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b9EKn-0000hC-OS for bug-guix@gnu.org; Sat, 04 Jun 2016 12:22:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: 87bn3iz1xc.fsf_-_@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 22883@debbugs.gnu.org Cc: Justus Winter , neal@walfield.org --=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU Content-Transfer-Encoding: quoted-printable Hi, Ludo' asked us to send some comments on how to verify git commits. I only had time to quickly browse the mail thread. I would indeed suggest to use gpgv (or gpgv2, but I hope Guix has alread moved to name gpg2 gpg) because we once wrote it for Debian. It has the simplest semantics and thus best fits your purpose. We use it in GnuPG itself for the speedo build system; it is sufficent to run this simple script: =2D-8<---------------cut here---------------start------------->8--- if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then echo "list of software versions is not valid!" >&2 exit 1 fi =2D-8<---------------cut here---------------end--------------->8--- In all other context I would suggest the use of GPGME to verify signatures, because GPGME also evaluates the trust and all the status line gpg spits out. There are no issues with l10n because _all_ scripts SHOULD use gpg with the options --status-fd and --with-colons. That output creates a well defined API and we try very hard never to break it. Mike Gerwitz's article is a bit long read right now. I have never looked into git to check whether git correctly calls gpg to verify signatures. That should eventually be done. And yes, please sign your commits (I use an Ed25519 key stored on a Gnuk token; which works very well). Shalom-Salam, Werner =2D-=20 Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */ --=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAldS/5MACgkQTwVA1Xf5X5UTbwCcDeNN2/ePPwpepQAntqID3Xgd Mg4An2pyS784pTkPxV1e6WwrXkb0TOWr =24e4 -----END PGP SIGNATURE----- --=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU--