Authenticating maintenance.git

Authenticating maintenance.git

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 1060 bytes --]

Hello Guix!

I’ve added a ‘.guix-authorizations’ file in maintenance.git, at last!
We can now authenticate the repository we’ve checked out:

  guix git authenticate 8a7e10b447b574279a7016ae6ea15bc7bcd46253 \
    "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5" --stats

It’s also possible to authenticate all changes made to the repo since
the first signed commit in July 2016 by running:

  guix git authenticate 7f59985566b384e31da7e6f1a36744e9edfba54f \
    "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5" \
    --historical-authorizations=historical-authorizations

If you ran the first command above before, you might want to clear your
authentication cache with:

  rm -rf ~/.cache/guix/authentication/checkouts

Note that ‘.guix-authorizations’ is a subset of the one on the main Guix
repository, but we can add people as needed.  I invite committers to
install the pre-push hook as mentioned in README:

  https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/README

Happy hacking!

Ludo’.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 853 bytes --]

Re: Authenticating maintenance.git

[Leo Famulari]

On Thu, May 06, 2021 at 01:03:21PM +0200, Ludovic Courtès wrote:
> Hello Guix!
> 
> I’ve added a ‘.guix-authorizations’ file in maintenance.git, at last!

Thanks for taking care of this!

Re: Authenticating maintenance.git

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 1625 bytes --]

Ludovic Courtès <ludo@gnu.org> writes:

> Hello Guix!
>
> I’ve added a ‘.guix-authorizations’ file in maintenance.git, at last!
> We can now authenticate the repository we’ve checked out:
>
>   guix git authenticate 8a7e10b447b574279a7016ae6ea15bc7bcd46253 \
>     "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5" --stats
>
> It’s also possible to authenticate all changes made to the repo since
> the first signed commit in July 2016 by running:
>
>   guix git authenticate 7f59985566b384e31da7e6f1a36744e9edfba54f \
>     "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5" \
>     --historical-authorizations=historical-authorizations
>
> If you ran the first command above before, you might want to clear your
> authentication cache with:
>
>   rm -rf ~/.cache/guix/authentication/checkouts
>
> Note that ‘.guix-authorizations’ is a subset of the one on the main Guix
> repository, but we can add people as needed.  I invite committers to
> install the pre-push hook as mentioned in README:
>
>   https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/README
>
> Happy hacking!
>
> Ludo’.

I'm late to the party, but I notice that when I run this in
guix-maintenance, I get an error:

--8<---------------cut here---------------start------------->8---
$ guix git authenticate 8a7e10b447b574279a7016ae6ea15bc7bcd46253 "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5"
guix git: error: Git error: cannot locate remote-tracking branch 'keyring'
--8<---------------cut here---------------end--------------->8---

Am I doing something wrong?

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 861 bytes --]

Re: Authenticating maintenance.git

[Ludovic Courtès]

Hi Chris,

Chris Marusich <cmmarusich@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hello Guix!
>>
>> I’ve added a ‘.guix-authorizations’ file in maintenance.git, at last!

[...]

> I'm late to the party, but I notice that when I run this in
> guix-maintenance, I get an error:
>
> $ guix git authenticate 8a7e10b447b574279a7016ae6ea15bc7bcd46253 "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5"
> guix git: error: Git error: cannot locate remote-tracking branch 'keyring'
>
> Am I doing something wrong?

It looks like you’re missing a local ‘keyring’ branch for that repo, no?

I think you need to run:

  git fetch
  git branch --track keyring

HTH,
Ludo’.

Re: Authenticating maintenance.git

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 710 bytes --]

Hi Ludo,

Ludovic Courtès <ludo@gnu.org> writes:

> It looks like you’re missing a local ‘keyring’ branch for that repo, no?
>
> I think you need to run:
>
>   git fetch
>   git branch --track keyring

This works, basically.  Thank you!

Details: When master is currently checked out, that "git branch" command
actually creates a local branch named "keyring" that tracks my local
"master" branch, which is probably not what you meant I should do.  In
the end, "git branch --track keyring origin/keyring" worked for me: it
created a local branch named "keyring" that tracks remote branch
"origin/keyring".  After that, I was able to run the pre-push hook
without issue!

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 861 bytes --]

Re: Authenticating maintenance.git

[Chris Marusich]

[-- Attachment #1.1: Type: text/plain, Size: 2106 bytes --]

Chris Marusich <cmmarusich@gmail.com> writes:

> Hi Ludo,
>
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> It looks like you’re missing a local ‘keyring’ branch for that repo, no?
>>
>> I think you need to run:
>>
>>   git fetch
>>   git branch --track keyring
>
> This works, basically.  Thank you!

Although I was now able to run the pre-push hook, it seems unaware of my
PGP key.  I tried making the attached change to the README and testing a
push via "git push -n origin", and it complained about the signature:

--8<---------------cut here---------------start------------->8---
$ git push -n origin
Authenticating commits 8a7e10b to 413b8f1 (1 new commits)...
[##############################################################################]guix git: error: could not authenticate commit 413b8f1c6d9ca2160d7aa8d80db181a6f39d3d82: key CBF5 9755 CBE7 E7EF EF18  3FB1 DD40 9A15 D822 469D is missing
error: failed to push some refs to 'git.savannah.gnu.org:/srv/git/guix/maintenance.git'
--8<---------------cut here---------------end--------------->8---

However, the signature looks good to me:

--8<---------------cut here---------------start------------->8---
$ git verify-commit 413b8f1c6d9ca2160d7aa8d80db181a6f39d3d82
gpg: Signature made Tue 22 Jun 2021 05:54:13 PM PDT
gpg:                using RSA key CBF59755CBE7E7EFEF183FB1DD409A15D822469D
gpg: Good signature from "Chris Marusich <cmmarusich@gmail.com>" [ultimate]
--8<---------------cut here---------------end--------------->8---

GnuPG reports it can find the keys:

--8<---------------cut here---------------start------------->8---
$ gpg --list-keys 'CBF5 9755 CBE7 E7EF EF18  3FB1 DD40 9A15 D822 469D'
pub   rsa4096 2016-02-19 [SC] [expires: 2021-08-13]
      CBF59755CBE7E7EFEF183FB1DD409A15D822469D
uid           [ultimate] Chris Marusich <cmmarusich@gmail.com>
sub   rsa4096 2016-02-19 [E] [expires: 2021-08-13]
--8<---------------cut here---------------end--------------->8---

This happens even if I update guix with "guix pull".  Any idea what the
problem might be?

-- 
Chris

[-- Attachment #1.2: 0001-README-Clarify-that-pre-push-hook-needs-keyring.patch --]
[-- Type: text/x-patch, Size: 1418 bytes --]

From 413b8f1c6d9ca2160d7aa8d80db181a6f39d3d82 Mon Sep 17 00:00:00 2001
From: Chris Marusich <cmmarusich@gmail.com>
Date: Tue, 22 Jun 2021 17:51:07 -0700
Subject: [PATCH] README: Clarify that pre-push hook needs keyring.

* README: Explain that the pre-push hook requires the existence of a
local keyring branch, and add a "git branch" command to show how to
create one.
---
 README | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/README b/README
index 338895b..71dc641 100644
--- a/README
+++ b/README
@@ -1,8 +1,10 @@
 This repository is meant to contain documents and tools by Guix hackers
 and maintainers that do not fit in the Guix repository.
 
-If you’re a committer, please install this pre-push hook:
+If you’re a committer, please create a local keyring branch that
+tracks origin/keyring and install this pre-push hook:
 
+git branch --track keyring origin/keyring
 cat > .git/hooks/pre-push <<EOF
 #!/bin/sh
 exec guix git authenticate 8a7e10b447b574279a7016ae6ea15bc7bcd46253 "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5"
@@ -10,4 +12,5 @@ EOF
 chmod +x .git/hooks/pre-push
 
 This will check whether your commits are signed by a key listed in
-‘.guix-authorizations’ before pushing.
+‘.guix-authorizations’ before pushing.  It requires a local keyring
+branch to exist, hence the "git branch" command above.
-- 
2.30.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 861 bytes --]

Re: Authenticating maintenance.git

[Maxime Devos]

[-- Attachment #1: Type: text/plain, Size: 1862 bytes --]

Chris Marusich schreef op wo 23-06-2021 om 18:01 [-0700]:
> Although I was now able to run the pre-push hook, it seems unaware of my
> PGP key.  I tried making the attached change to the README and testing a
> push via "git push -n origin", and it complained about the signature:
> 
> --8<---------------cut here---------------start------------->8---
> $ git push -n origin
> Authenticating commits 8a7e10b to 413b8f1 (1 new commits)...
> [##############################################################################]guix git: error: could not authenticate commit 413b8f1c6d9ca2160d7aa8d80db181a6f39d3d82:
>  key CBF5 9755 CBE7 E7EF EF18  3FB1 DD40 9A15 D822 469D is missing
> error: failed to push some refs to 'git.savannah.gnu.org:/srv/git/guix/maintenance.git'
> --8<---------------cut here---------------end--------------->8---

It is complaining about the missing key, not about signatures.

> GnuPG reports it can find the keys:
> 
> --8<---------------cut here---------------start------------->8---
> $ gpg --list-keys 'CBF5 9755 CBE7 E7EF EF18  3FB1 DD40 9A15 D822 469D'
> [...]

The keyring in ~/.gnupg is irrelevant to "guix git authenticate".
"guix git authenticate" only uses the keys on the keyring branch
(whose fingerprint needs to be .guix-authorizations).

The public key is in .guix-authorization
(see https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/.guix-authorizations#n32).
But is it on the keyring branch?

It would appear it isn't. There is a marusich-D822469D.key, but
that appears to be a different key (DD40 9A15 D822 469D).
Perhaps you need to add your key to the keyring branch?
IIUC, commits to the keyring branch are unauthenticated, so
you could do that yourself. (It is secure because .guix-authorizations
contains a whitelist of allowed key fingerprints.)

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: Authenticating maintenance.git

[Ludovic Courtès]

Hi,

Maxime Devos <maximedevos@telenet.be> skribis:

> Chris Marusich schreef op wo 23-06-2021 om 18:01 [-0700]:
>> Although I was now able to run the pre-push hook, it seems unaware of my
>> PGP key.  I tried making the attached change to the README and testing a
>> push via "git push -n origin", and it complained about the signature:
>> 
>> --8<---------------cut here---------------start------------->8---
>> $ git push -n origin
>> Authenticating commits 8a7e10b to 413b8f1 (1 new commits)...
>> [##############################################################################]guix git: error: could not authenticate commit 413b8f1c6d9ca2160d7aa8d80db181a6f39d3d82:
>>  key CBF5 9755 CBE7 E7EF EF18  3FB1 DD40 9A15 D822 469D is missing
>> error: failed to push some refs to 'git.savannah.gnu.org:/srv/git/guix/maintenance.git'
>> --8<---------------cut here---------------end--------------->8---

[...]

> The public key is in .guix-authorization
> (see https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/.guix-authorizations#n32).
> But is it on the keyring branch?
>
> It would appear it isn't. There is a marusich-D822469D.key, but
> that appears to be a different key (DD40 9A15 D822 469D).
> Perhaps you need to add your key to the keyring branch?
> IIUC, commits to the keyring branch are unauthenticated, so
> you could do that yourself. (It is secure because .guix-authorizations
> contains a whitelist of allowed key fingerprints.)

Oh, do you think I added Chris’ key to ‘.guix-authorizations’ but not to
the keyring branch?  That would mean there were no commits with that key
in the history so far.

Thanks,
Ludo’.