From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id OLyRONRWrF74YQAA0tVLHw (envelope-from ) for ; Fri, 01 May 2020 17:05:24 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 6H31Nd5WrF6kPgAAbx9fmQ (envelope-from ) for ; Fri, 01 May 2020 17:05:34 +0000 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:470:142::17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 00B38941DEC for ; Fri, 1 May 2020 17:05:32 +0000 (UTC) Received: from localhost ([::1]:44020 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUZ6S-0008Sb-Ie for larch@yhetil.org; Fri, 01 May 2020 13:05:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58912) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jUZ5z-0008SU-5x for bug-guix@gnu.org; Fri, 01 May 2020 13:05:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.90_1) (envelope-from ) id 1jUZ5y-0002gu-JT for bug-guix@gnu.org; Fri, 01 May 2020 13:05:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:39000) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jUZ5y-0002gU-7G for bug-guix@gnu.org; Fri, 01 May 2020 13:05:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jUZ5y-00077t-2T; Fri, 01 May 2020 13:05:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#22883: Authenticating a Git checkout Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 01 May 2020 17:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22883 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ricardo Wurmus Received: via spool by 22883-submit@debbugs.gnu.org id=B22883.158835269127371 (code B ref 22883); Fri, 01 May 2020 17:05:02 +0000 Received: (at 22883) by debbugs.gnu.org; 1 May 2020 17:04:51 +0000 Received: from localhost ([127.0.0.1]:50546 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jUZ5m-00077P-Lk for submit@debbugs.gnu.org; Fri, 01 May 2020 13:04:51 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55896) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jUZ5l-00077A-Aj for 22883@debbugs.gnu.org; Fri, 01 May 2020 13:04:49 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:60103) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jUZ5f-0002ey-Vw; Fri, 01 May 2020 13:04:44 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41168 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jUZ5f-0004eR-ID; Fri, 01 May 2020 13:04:43 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org> <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org> <87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org> <87bmkwm8ed.fsf@gnu.org> <87png9o8i2.fsf@elephly.net> <87fth4bj6y.fsf@gnu.org> <87bln9oupo.fsf@gnu.org> Date: Fri, 01 May 2020 19:04:41 +0200 In-Reply-To: <87bln9oupo.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Thu, 30 Apr 2020 17:32:19 +0200") Message-ID: <87wo5vfuxi.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Received-From: 209.51.188.43 X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 22883@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Scanner: scn0 X-Spam-Score: 1.11 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 2001:470:142::17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Scan-Result: default: False [1.11 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.49534691407197]; MX_INVALID(1.00)[cached]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:142::/48:c]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.16), country: US(-0.00), ip: 2001:470:142::17(-0.50)]; DWL_DNSWL_FAIL(0.00)[2001:470:142::17:server fail]; RCPT_COUNT_TWO(0.00)[2]; MAILLIST(-0.20)[mailman]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; MIME_TRACE(0.00)[0:+]; R_MIXED_CHARSET(0.63)[subject]; ASN(0.00)[asn:22989, ipnet:2001:470:142::/48, country:US]; R_DKIM_NA(0.00)[]; TAGGED_FROM(0.00)[larch=yhetil.org]; ARC_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[ludo@gnu.org,bug-guix-bounces@gnu.org]; FROM_HAS_DN(0.00)[]; URIBL_BLOCKED(0.00)[gnu.org:email]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[gnu.org]; HAS_LIST_UNSUB(-0.01)[]; DNSWL_BLOCKED(0.00)[2001:470:142::17:from]; RCVD_COUNT_SEVEN(0.00)[10]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: +0J3JDO1QD5w Hey! Ludovic Court=C3=A8s skribis: > =E2=80=A2 Load the keyring from files in the repo, possibly in a dedica= ted > branch. > > =E2=80=A2 Load the list of authorized keys from the parent of the commi= t being > authenticated. Done! 8916c2fa32 git-authenticate: Load the keyring from the repository. 6960064ddc git-authenticate: Load the list of authorized keys from the tr= ee. f145a2d1a9 .guix-authorizations: Augment. 62ae43db19 git-authenticate: Use (guix openpgp). =E2=80=98git-authenticate=E2=80=99 now loads the keyring from the =E2=80=9C= keyring=E2=80=9D branch, which I=E2=80=99ve just pushed as an =E2=80=9Corphan=E2=80=9D branch: https://git.savannah.gnu.org/cgit/guix.git/?h=3Dkeyring So no need to store the keyring out-of-band, to spawn gpg to fetch keys from somewhere else, etc. The idea is that we=E2=80=99ll keep adding new k= eys to this branch every time a new committer joins. We would never remove keys from there because those keys are necessary to verify signatures. The fact that a key is present on that branch does _not_ mean that it designates an authorized committer today. The list of authorized committers is meant to be stored in a =E2=80=98.guix-authorizations=E2=80=99 file in each branch of the channel. = It is essentially a list of fingerprints: https://git.savannah.gnu.org/cgit/guix.git/commit/?h=3Dwip-openpgp&id=3Df= 145a2d1a982cc841c7ccae3334d4783dad24a1e To accept a new committer, an authorized committer must add its key to this file in the branch(es) where that person is expected to commit. The format currently accepts additional data for each fingerprint. It=E2= =80=99s currently ignored, but I thought it could be useful in the future, for instance if we want to associate a file pattern with a key. A commit is considered =E2=80=9Cauthorized=E2=80=9D if and only if its sign= ing key is listed in the =E2=80=98.guix-authorizations=E2=80=99 file of its parent com= mit(s). In =E2=80=98git-authenticate=E2=80=99, this is implemented in a naive unopt= imized way, but it turns out to make no noticeable difference on the wall-clock time to authenticate those 14K+ commits. The crux of the authorization mechanism is this procedure: (define* (commit-authorized-keys repository commit #:optional (default-authorizations '())) "Return the list of OpenPGP fingerprints authorized to sign COMMIT, bas= ed on authorizations listed in its parent commits. If one of the parent commits does not specify anything, fall back to DEFAULT-AUTHORIZATIONS." =E2=80=A6) Feedback welcome! Ludo=E2=80=99.