From mboxrd@z Thu Jan  1 00:00:00 1970
From: Werner Koch <wk@gnupg.org>
Subject: bug#22883: Trustable "guix pull"
Date: Sat, 04 Jun 2016 18:19:31 +0200
Message-ID: <87fustj59o.fsf@wheatstone.g10code.de>
References: <87io14sqoa.fsf@dustycloud.org>
Mime-Version: 1.0
Content-Type: multipart/signed;
	boundary="=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:34887)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b9EKt-0005Yo-Po
	for bug-guix@gnu.org; Sat, 04 Jun 2016 12:22:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b9EKn-0000hG-Rj
	for bug-guix@gnu.org; Sat, 04 Jun 2016 12:22:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:42208)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1b9EKn-0000hC-OS
	for bug-guix@gnu.org; Sat, 04 Jun 2016 12:22:01 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.22883.B22883.146505729027477@debbugs.gnu.org>
In-reply-to: 87bn3iz1xc.fsf_-_@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 22883@debbugs.gnu.org
Cc: Justus Winter <justus@gnupg.org>, neal@walfield.org

--=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU
Content-Transfer-Encoding: quoted-printable

Hi,

Ludo' asked us to send some comments on how to verify git commits.  I
only had time to quickly browse the mail thread.

I would indeed suggest to use gpgv (or gpgv2, but I hope Guix has alread
moved to name gpg2 gpg) because we once wrote it for Debian.  It has the
simplest semantics and thus best fits your purpose.  We use it in GnuPG
itself for the speedo build system; it is sufficent to run this simple
script:

=2D-8<---------------cut here---------------start------------->8---
  if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
    echo "list of software versions is not valid!" >&2
    exit 1
  fi
=2D-8<---------------cut here---------------end--------------->8---

In all other context I would suggest the use of GPGME to verify
signatures, because GPGME also evaluates the trust and all the status
line gpg spits out.

There are no issues with l10n because _all_ scripts SHOULD use gpg with
the options --status-fd and --with-colons.  That output creates a well
defined API and we try very hard never to break it.

Mike Gerwitz's article is a bit long read right now.  I have never
looked into git to check whether git correctly calls gpg to verify
signatures.  That should eventually be done.  And yes, please sign your
commits (I use an Ed25519 key stored on a Gnuk token; which works very
well).


Shalom-Salam,

   Werner


=2D-=20
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
    /* EFH in Erkrath: https://alt-hochdahl.de/haus */

--=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAldS/5MACgkQTwVA1Xf5X5UTbwCcDeNN2/ePPwpepQAntqID3Xgd
Mg4An2pyS784pTkPxV1e6WwrXkb0TOWr
=24e4
-----END PGP SIGNATURE-----
--=ICE-propaganda-9/11-computer-terrorism-plutonium-CipherTAC-2000-ANZU--