From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id KKf7ESgWWmP+MQAAbAwnHQ (envelope-from ) for ; Thu, 27 Oct 2022 07:24:56 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id GKDMESgWWmO2PwAA9RJhRA (envelope-from ) for ; Thu, 27 Oct 2022 07:24:56 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D98C55F77 for ; Thu, 27 Oct 2022 07:24:55 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1onvNN-0004LW-4Q; Thu, 27 Oct 2022 01:24:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onvNJ-00048c-Ta for guix-devel@gnu.org; Thu, 27 Oct 2022 01:24:17 -0400 Received: from lepiller.eu ([2a00:5884:8208::1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onvNH-0008Bl-55 for guix-devel@gnu.org; Thu, 27 Oct 2022 01:24:17 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id e8a20fba; Thu, 27 Oct 2022 05:23:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from :to:cc:subject:in-reply-to:references:message-id:mime-version :content-type:content-transfer-encoding; s=dkim; bh=ZV/IbJr3pM7B A/5r9H+fyDlFDjCxL4XMOei/TPdUTCY=; b=iZOLTD4+DAQPRbBwsUYUvnjE35Xw LmberZAXOyKPE79X2LUp8xncmVcDr2TyWumdHIN/yYjItksF/M/igoMh6oLEzgeR UWU++QKPMlpYTpTWGa6O0/BVgfbJTfJic5IDF4CAtOJUyn9HzuVKJWKbqgEhY7mg t98sJmIGYRNp/ApBT+9kC5SoLBmECv5phJvwuUQGIvD29LHo9ZVDSN/mgxMI4OhK XExFwZDuL7EJ4PCLmqumGWbBDXH6a38xEPg6DHLq3TZZriye7UhufLwHI2cpBM8l iNNhRY6qfLLFwJySmE68mJ9oMaz1QSmi1jQGwbxVj4zvcsPr21mj13E1Sg== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 7cea80a1 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 27 Oct 2022 05:23:08 +0000 (UTC) Date: Thu, 27 Oct 2022 07:23:04 +0200 From: Julien Lepiller To: jgart CC: guix-devel@gnu.org Subject: Re: guix git authenticate throws hard User-Agent: K-9 Mail for Android In-Reply-To: <20221026190740.GB15216@dismail.de> References: <20221025213350.GB13409@dismail.de> <20221026003520.GB24994@dismail.de> <0395BB1B-3B58-493F-BC74-25810A47098F@lepiller.eu> <20221026190740.GB15216@dismail.de> Message-ID: <1330C52E-94AB-4AF4-AF99-284CC9BBB2CA@lepiller.eu> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----8U88RGBCHTSG08AC6XM3447B70O6Q7 Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=2a00:5884:8208::1; envelope-from=julien@lepiller.eu; helo=lepiller.eu X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Guix-devel" Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1666848296; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=ZV/IbJr3pM7BA/5r9H+fyDlFDjCxL4XMOei/TPdUTCY=; b=tGa/nLU9mxZPNK+EU42v4EEh9L2yIxBhBMtn0aj8ZqhTuQe2sugkNNLyVhzX2e5qHnw2+n TgpUH4ISwMP2/a3Hk+HrdMxfTvm7tuh8Bn9ini2IPWr0Cvh3Rl6q+auEcMcq3iOiJJt/Sg CqSY1BokPBBsImWgrLqG5jpdnIJCiW4sCN8Tz8JVG6a0ASj3tWbIp4halvcm5CdroLu7Zl RXYaOywQx8xC/5p4jM+cEo633TGU29xSNFCqKY1jOduz9QNrg2199D+0TA4ZMokpH6dlhV JG33GhSdOJ5EegSpDVQq3bdLUOvBqnkzTd/qOTdYQMFOtj37iKEiOVVhnmOhPA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1666848296; a=rsa-sha256; cv=none; b=onKZnZYxEum9giZd075AG1EbpJxu6WuUQnScP2UJRPNFq5HpzBIWSeNKvMhfZcJCwmU1c5 Z9bsdGW0/fMltB42IGiZcctsjGF16xuAdOXCq6lljafiUrEG0ETHMAW6NMiBfxZ2AxHQxQ ualRzc8aW1rX3TSNejzER2WpdPKL7UuJiG9emIf9IKgog+z0bs5VE+JZwC8h7H04IuaVyC Y0gxiVLmlLkVH3wY9owD8q33mKx14r7z5Z5F0niOoKCkaqk2prfY1tmLgZP1PC0IquB3Cp 8AVdeH8cQKQeeCuygFtl48VPBCZvnodAOfDyfiY5qrcyRLlEcDDftvx7GVsbkw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=lepiller.eu header.s=dkim header.b=iZOLTD4+; dmarc=pass (policy=none) header.from=lepiller.eu; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.42 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=lepiller.eu header.s=dkim header.b=iZOLTD4+; dmarc=pass (policy=none) header.from=lepiller.eu; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: D98C55F77 X-Spam-Score: -2.42 X-Migadu-Scanner: scn1.migadu.com X-TUID: txjBgmkt2Px/ ------8U88RGBCHTSG08AC6XM3447B70O6Q7 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Commit signing is a git feature, so git itself can be used to check your la= st commits are signed: git log --show-signature This will look the same as git log if the commit is unsigned, and show the= result of gpg =E2=80=94verify otherwise=2E Red background if unverified (e= g=2E you don't have the public key) and green otherwise=2E This should zake= it easy to spot whether you signed the last commits or not Le 27 octobre 2022 02:07:40 GMT+02:00, jgart a =C3=A9= crit=C2=A0: >On Wed, 26 Oct 2022 09:07:57 +0200 Julien Lepiller = wrote: >> It says fingerprint, so it's fingerprint=2E Using email or name would n= ot be as secure=2E >>=20 >> Le 26 octobre 2022 07:35:20 GMT+02:00, jgart a =C3= =A9crit=C2=A0: >> >On Wed, 26 Oct 2022 07:21:35 +0200 Julien Lepiller wrote: >> >> From the manual: "signer is the OpenPGP fingerprint of public key us= ed to sign commit=2E", but we should still catch this error :) >> > >> >Is it possible to give the email instead of the fingerprint? >> > >> >Deduce the fingerprint from the email? > >Julien and/or anyone else, > >What do you think if we have a CLI flag for git authenticate that would >allow us to do this to authenticate the last 5 commits against the >3B1D7F19E36BB60C0F5B2CA9A52AA2B477B6DD35 fingerprint, for example: > >guix git authenticate 3B1D7F19E36BB60C0F5B2CA9A52AA2B477B6DD35 -5 > >I've run into situations where I can't remember if I signed a commit or n= ot=2E=20 > >IWBC if I could just say authenticate the last commits against my >fingerprint instead of going one by one=2E If this already exists and is >not documented then we should definitely document that usage with an >example to let others know=2E > >all best, > >jgart ------8U88RGBCHTSG08AC6XM3447B70O6Q7 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Commit signing is a git feature, so git itself can= be used to check your last commits are signed:

git log --show-signa= ture

This will look the same as git log if the commit is unsigned, a= nd show the result of gpg =E2=80=94verify otherwise=2E Red background if un= verified (eg=2E you don't have the public key) and green otherwise=2E This = should zake it easy to spot whether you signed the last commits or not
<= br>
Le 27 octobre 2022 02:07:40 GMT+02:00, jgart = <jgart@dismail=2Ede> a =C3=A9crit=C2=A0:
On Wed, 26 Oct 2022 09:07:57 +0200 Juli=
en Lepiller <julien@lepiller=2Eeu> wrote:
It says fingerprint, so it's fingerprint=2E Using =
email or name would not be as secure=2E

Le 26 octobre 2022 07:35:20 =
GMT+02:00, jgart <jgart@dismail=2Ede> a =C3=A9crit :
On Wed, 26 Oct 2022 07:21:35 +0200=
 Julien Lepiller <julien@lepiller=2Eeu> wrote:
From the manual: "signer is the OpenPGP fin=
gerprint of public key used to sign commit=2E", but we should still catch t=
his error :)

Is it possible to give the email instead o=
f the fingerprint?

Deduce the fingerprint from the email?

Julien and/or anyone else,

What do you think =
if we have a CLI flag for git authenticate that would
allow us to do thi=
s to authenticate the last 5 commits against the
3B1D7F19E36BB60C0F5B2CA=
9A52AA2B477B6DD35 fingerprint, for example:

guix git authenticate 3B=
1D7F19E36BB60C0F5B2CA9A52AA2B477B6DD35 -5

I've run into situations w=
here I can't remember if I signed a commit or not=2E 

IWBC if I coul=
d just say authenticate the last commits against my
fingerprint instead =
of going one by one=2E If this already exists and is
not documented then=
 we should definitely document that usage with an
example to let others =
know=2E

all best,

jgart
------8U88RGBCHTSG08AC6XM3447B70O6Q7--