From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vagrant Cascadian Subject: bug#22883: Trustable "guix pull" Date: Tue, 28 Aug 2018 12:56:02 -0700 Message-ID: <87tvnemfjh.fsf@aikidev.net> References: <87io14sqoa.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60518) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fukD9-0004Lx-Bz for bug-guix@gnu.org; Tue, 28 Aug 2018 16:03:40 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fuk6o-0006Pm-4T for bug-guix@gnu.org; Tue, 28 Aug 2018 15:57:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:59167) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fuk6n-0006Pg-Vi for bug-guix@gnu.org; Tue, 28 Aug 2018 15:57:02 -0400 In-Reply-To: <87io14sqoa.fsf@dustycloud.org> Sender: "Debbugs-submit" Resent-Message-ID: List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 22883@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable This isn't exactly pretty, and obviously a better long-term solution is needed, but I wrote a quick shell script to at least partially addresses some my biggest fears with guix pull... Basically, it updates a git checkout, checks the signatures on the commits, looking for the topmost signed commit by a key in a specific keyring, and then runs guix pull with that commit. It relies on a custom gpg directory and assumes any of the keys in the keyring are valid potential signers of the commits; the web of trust is essentially ignored. I really don't like having a custom GNUPGHOME, but I didn't see any other obvious way to pass arguments to git to use a custom keyring. I populated this GNUPGHOME with keys from: https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix&down= load=3D1 And then ran gpg --refresh-keys on it, as several keys were outdated/expired. (an alternative approach to populate the keyring might be: https://gitlab.com/Efraim/guix-keyring) It also assumes a git checkout where "git pull" pulls from the correct repository. It assumes guix --version returns a valid git hash, so would require some more tweaks to get it working from a fresh guix install. All those caveats aside, it seems to work well enough for me, and writing this email took longer than writing the script. :) live well, vagrant #!/bin/sh set -x set -e workdir=3D/home/vagrant/src/guix export GNUPGHOME=3D$workdir/verified-pull/gnupg cd $workdir git pull guixversion=3D$(guix --version | awk '/^guix/{print $4}') commits=3D$(git log ${guixversion}.. --pretty=3D'format:%G?,%H') # =C2=B7 %G?: show # "G" for a good (valid) signature, # "B" for a bad =C2=B7 %signature, # "U" for a good signature with unknown validity, # "X" for a good =C2=B7 %signature that has expired, # "Y" for a good signature made by an expired =C2=B7 %key, # "R" for a good signature made by a revoked key, # "E" if the =C2=B7 %signature cannot be checked (e.g. missing key) and # "N" for no signature for commitlog in $commits ; do commitverify=3D$(echo $commitlog | cut -d , -f 1) commit=3D$(echo $commitlog | cut -d , -f 2) case $commitverify in G|U) git verify-commit $commit && \ guix pull --url=3Dfile://$workdir --commit=3D$commit && \ exit 0 ;; esac done echo unable to find signed commit exit 1 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCW4Wo0gAKCRDcUY/If5cW qq8CAP9ZpSDbjUqOaX+eF99nvt33GFJTw8l8uqzjgBkqlHyxAwD/bK1JtjWquwYL QVoWJZx/YyVx+PUjPMNImcRQE7k9wwE= =uMdS -----END PGP SIGNATURE----- --=-=-=--