* bug#60852: git-authenticate edge case for certain key setup.
@ 2023-01-16 7:29 Hilton Chain via Bug reports for GNU Guix
2023-01-17 15:18 ` Ludovic Courtès
0 siblings, 1 reply; 3+ messages in thread
From: Hilton Chain via Bug reports for GNU Guix @ 2023-01-16 7:29 UTC (permalink / raw)
To: 60852
I encountered the issue when adding a new key to my Guix channel. Though I
haven't figured out what happened exactly, I'm currently able to reproduce the
issue with the following steps.
1. Generate two keypairs. Key One with the preset "ECC and ECC", Key Two with
"ECC (set your own capabilities)" and only keep the Certify capability, then
add a Sign subkey to Key Two. All Curve 25519.
#+RESULTS:
: /tmp/test/pubring.kbx
: ---------------------
: sec ed25519/676A52381FFD80C5 2023-01-16 [SC]
: Key fingerprint = 21D3 9304 CED7 A5CF 50B6 0B80 676A 5238 1FFD 80C5
: uid [ultimate] Key One
: ssb cv25519/BA35E2E29D6E4CE4 2023-01-16 [E]
: Key fingerprint = 450A DF8C 6FE4 AEFF EC75 EBD9 BA35 E2E2 9D6E 4CE4
:
: sec ed25519/06DE4CED9A91AB7B 2023-01-16 [C]
: Key fingerprint = 4A45 EC76 DA2B 389A FE2F C887 06DE 4CED 9A91 AB7B
: uid [ultimate] Key Two
: ssb ed25519/3BE8CD60E408A705 2023-01-16 [S]
: Key fingerprint = 405C B557 DE1F 1254 B012 640A 3BE8 CD60 E408 A705
2. Create a new git repository, commit public keys of the two to the "keyring"
branch. Then commit file ".guix-authorizations" to the "main" branch with the
following code:
#+begin_src scheme
(authorizations
(version 0)
(("21D3 9304 CED7 A5CF 50B6 0B80 676A 5238 1FFD 80C5"
(name "Key One"))))
#+end_src
Configure git to sign commits with Key One, change the ".guix-authorizations"
file to the following and commit:
#+begin_src scheme
(authorizations
(version 0)
(("21D3 9304 CED7 A5CF 50B6 0B80 676A 5238 1FFD 80C5"
(name "Key One")))
(("405C B557 DE1F 1254 B012 640A 3BE8 CD60 E408 A705"
(name "Key Two"))))
#+end_src
Then change the signing key to Key Two and add a new commit.
Now there're three commits:
#+RESULTS:
: commit 5240baeebc055187fb738e66e7dbfbb57c0aeba3 (HEAD -> main)
: Author: Test <test@example.com>
: Date: Mon Jan 16 13:53:49 2023 +0800
:
: test
:
: commit a6794b64f9dfa828a5721e3f02c27ab74db9a487
: Author: Test <test@example.com>
: Date: Mon Jan 16 13:53:17 2023 +0800
:
: Authorize Key Two.
:
: commit c9476062a2f341e9ee95a60d17cf2233b7c55ff4
: Author: Test <test@example.com>
: Date: Mon Jan 16 13:51:02 2023 +0800
:
: Authorize Key One.
3. Invoke `guix git authenticate`...with error.
#+begin_src shell
guix git authenticate c9476062a2f341e9ee95a60d17cf2233b7c55ff4 "21D3 9304 CED7 A5CF 50B6 0B80 676A 5238 1FFD 80C5"
#+end_src
#+RESULTS:
: Authenticating commits c947606 to 5240bae (1 new commits)...
: [##############################################################################]guix git: error: commit 5240baeebc055187fb738e66e7dbfbb57c0aeba3 not signed by an authorized key: 405C B557 DE1F 1254 B012 640A 3BE8 CD60 E408 A705
4. However, if I swap positions of the two fingerprints, it works.
New ".guix-authorizations" file:
#+begin_src scheme
(authorizations
(version 0)
(("405C B557 DE1F 1254 B012 640A 3BE8 CD60 E408 A705"
(name "Key Two")))
(("21D3 9304 CED7 A5CF 50B6 0B80 676A 5238 1FFD 80C5"
(name "Key One"))))
#+end_src
New commits history:
#+RESULTS:
: commit 7e4d98eea0e89652554d822503096371e5d59f3b (HEAD -> main)
: Author: Test <test@example.com>
: Date: Mon Jan 16 14:52:37 2023 +0800
:
: test
:
: commit a44434b1a9bd955cc897dea4c44abe64d6ab8112
: Author: Test <test@example.com>
: Date: Mon Jan 16 13:53:49 2023 +0800
:
: Swap positions of the two fingerprints.
:
: commit a6794b64f9dfa828a5721e3f02c27ab74db9a487
: Author: Test <test@example.com>
: Date: Mon Jan 16 13:53:17 2023 +0800
:
: Authorize Key Two.
:
: commit c9476062a2f341e9ee95a60d17cf2233b7c55ff4
: Author: Test <test@example.com>
: Date: Mon Jan 16 13:51:02 2023 +0800
:
: Authorize Key One.
And a new `guix git authenticate` result:
#+RESULTS:
: Authenticating commits c947606 to 7e4d98e (2 new commits)...
🥴
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#60852: git-authenticate edge case for certain key setup.
2023-01-16 7:29 bug#60852: git-authenticate edge case for certain key setup Hilton Chain via Bug reports for GNU Guix
@ 2023-01-17 15:18 ` Ludovic Courtès
2023-01-25 16:48 ` Hilton Chain via Bug reports for GNU Guix
0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2023-01-17 15:18 UTC (permalink / raw)
To: Hilton Chain; +Cc: 60852
Hi,
Hilton Chain <hako@ultrarare.space> skribis:
> I encountered the issue when adding a new key to my Guix channel. Though I
> haven't figured out what happened exactly, I'm currently able to reproduce the
> issue with the following steps.
Fishy. Would you be able to write a script to reproduce the whole
scenario? That’d make it easier to test and we’d be sure we’re talking
about the same thing.
Thanks for reporting it!
Ludo’.
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#60852: git-authenticate edge case for certain key setup.
2023-01-17 15:18 ` Ludovic Courtès
@ 2023-01-25 16:48 ` Hilton Chain via Bug reports for GNU Guix
0 siblings, 0 replies; 3+ messages in thread
From: Hilton Chain via Bug reports for GNU Guix @ 2023-01-25 16:48 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 60852
On Tue, 17 Jan 2023 23:18:13 +0800,
Ludovic Courtès wrote:
>
> Hi,
>
> Hilton Chain <hako@ultrarare.space> skribis:
>
> > I encountered the issue when adding a new key to my Guix channel. Though I
> > haven't figured out what happened exactly, I'm currently able to reproduce the
> > issue with the following steps.
>
> Fishy. Would you be able to write a script to reproduce the whole
> scenario? That’d make it easier to test and we’d be sure we’re talking
> about the same thing.
>
> Thanks for reporting it!
>
> Ludo’.
I created a git repository and uploaded it to GitHub:
<https://github.com/rakino/bug-60852>
Outputs:
: gpg: key 8FDEAEDC3B8C0109: public key "Key One" imported
: gpg: key 8FDEAEDC3B8C0109: secret key imported
: gpg: Total number processed: 1
: gpg: imported: 1
: gpg: secret keys read: 1
: gpg: secret keys imported: 1
: gpg: key FC92800E84F3F3B6: public key "Key Two" imported
: gpg: key FC92800E84F3F3B6: secret key imported
: gpg: Total number processed: 1
: gpg: imported: 1
: gpg: secret keys read: 1
: gpg: secret keys imported: 1
: [trunk 083b7ef] Authorize Key One.
: 1 file changed, 4 insertions(+)
: create mode 100644 .guix-authorizations
: [trunk 1602009] Authorize Key Two.
: 1 file changed, 3 insertions(+), 1 deletion(-)
: [trunk 732579e] Test.
: 1 file changed, 1 insertion(+)
: create mode 100644 dummy
: Authenticating commits 083b7ef to 732579e (2 new commits)...
: [####################################### ]guix git: error: commit 732579e0f0dc6d15dbd2ea6826e01ae3aaf999a4 not signed by an authorized key: E1B1 7BEA 095F 5B25 4135 F6D1 F820 25E7 800B 3CCF
: HEAD is now at 083b7ef Authorize Key One.
: [trunk af4fae1] Authorize Key Two.
: 1 file changed, 2 insertions(+)
: [trunk 4b90546] Test.
: 1 file changed, 1 insertion(+)
: create mode 100644 dummy
: Authenticating commits 083b7ef to 4b90546 (2 new commits)...
: HEAD is now at 0ba5461 Add start.sh.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-01-25 16:49 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-16 7:29 bug#60852: git-authenticate edge case for certain key setup Hilton Chain via Bug reports for GNU Guix
2023-01-17 15:18 ` Ludovic Courtès
2023-01-25 16:48 ` Hilton Chain via Bug reports for GNU Guix
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).