From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#22883: Authenticating Git checkouts: step #1 Date: Wed, 08 Jan 2020 14:30:04 +0100 Message-ID: <87sgkqdqjn.fsf@gnu.org> References: <87io14sqoa.fsf@dustycloud.org> <20191231191639.s2o4ycysloj4kwb5@zdrowyportier.kadziolka.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:41035) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ipBQQ-0003V7-Lg for bug-guix@gnu.org; Wed, 08 Jan 2020 08:31:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ipBQL-0001Kk-Qu for bug-guix@gnu.org; Wed, 08 Jan 2020 08:31:06 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:43906) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ipBQL-0001KY-MH for bug-guix@gnu.org; Wed, 08 Jan 2020 08:31:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20191231191639.s2o4ycysloj4kwb5@zdrowyportier.kadziolka.net> ("Jakub \=\?utf-8\?B\?S8SFZHppb8WCa2EiJ3M\=\?\= message of "Tue, 31 Dec 2019 20:16:39 +0100") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org Sender: "bug-Guix" To: Jakub =?UTF-8?Q?K=C4=85dzio=C5=82ka?= Cc: 22883@debbugs.gnu.org Hello, Jakub K=C4=85dzio=C5=82ka skribis: > Ludovic Court=C3=A8s wrote: [...] >> How do you ensure that you obtained a genuine copy of the repository? >> Guix itself provides a tool to =E2=80=9Cauthenticate=E2=80=9D your check= out, but you >> must first make sure this tool is genuine in order to =E2=80=9Cbootstrap= =E2=80=9D the >> trust chain. To do that, run: >>=20 >> git verify-commit `git log --format=3D%H build-aux/git-authenticate= .scm` >>=20 >> The output must look something like: >>=20 >> gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET >> gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993= D9AEBB5 >> ... >> gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET >> gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993= D9AEBB5 >> ... >>=20 >> ... meaning that changes to this file are all signed with key >> =E2=80=983CE464558A84FDC69DB40CFB090B11993D9AEBB5=E2=80=99 (you may need= to fetch this >> key from a key server, if you have not done it yet). >>=20 >> From there on, you can authenticate all the commits included in your >> checkout by running: >>=20 >> make authenticate >>=20 >> The first run takes a couple of minutes, but subsequent runs are >> faster. >>=20 >> Note: You are advised to run =E2=80=98make authenticate=E2=80=99 af= ter every =E2=80=98git >> pull=E2=80=99 invocation. This ensures you keep receiving valid ch= anges to >> the repository >> --8<---------------cut here---------------end--------------->8--- > > Sadly, these instructions don't work from a fresh clone. There is only > Makefile.am and no Makefile itself, so you get > > $ make authenticate > make: *** No rule to make target 'authenticate'. Stop. Uh, good point. > Moreover, I don't think running 'make authenticate' after 'git pull' > would really work -- after you pulled, git-authenticate could've been > modified, so the verify-commit you did earlier doesn't apply anymore. It works as long as I=E2=80=99m the only one modifying it (the instructions above explicitly mention my OpenPGP key). This is obviously suboptimal though. In a comment in =E2=80=98contributing.texi=E2=80=99, I wrote: @c XXX: Adjust instructions when there's a known tag to start from. That would simplify things. > There's also the issue of trusting pre-inst-env, which is used to run > the verification. Should that be passed to 'git log --format=3D%H' next to > git-authenticate.scm? This also applies to any scripts you use to drive > this process, like the Makefile. Yes, this ./pre-inst-env thing and more generally the fact that we=E2=80=99= re potentially running just-pulled code to authenticate the code is a problem. We can solve it by removing ./pre-inst-env from the command in =E2=80=98make authenticate=E2=80=99. It will require people to have a recent-enough Guix already installed (in particular with commit f94f9d67e65975724ee5b5cbc936c0895a258685), but I think that=E2=80=99s unavoidable: the assumption will be that we trust the already-installed host tools and use them to authenticate the new code. Thoughts? Ludo=E2=80=99.