Strange behavior using guix git authenticate

Strange behavior using guix git authenticate

[sebastien]

[-- Attachment #1.1.1: Type: text/plain, Size: 3592 bytes --]

Hi,

I try to follow the tutorial on guix blog (https://guix.gnu.org/en/blog/2024/authenticate-your-git-checkouts/)  to authenticate my commit for a personal channel. I have some feedback to do, and possible missing info. for padawan like me.


-   A / There are no information for pushing keyring branch to origin repo. Commit for keyring come before Introductory commit so pushing keyring to <yourforge> repository failed. Talking with ludovic, the tutorial doesn't say that pre-push hook need to be desactivated to push on <yourforge> repository.
    




-   B / I follow the tutorial on an existing channel repo, two times, because i made some errors that imply : a reset --hard of the repo, the delete of the keyring branch, removing the authenticate line in git/config, removing the post-merge and pre-push hook. But, now my repository is probably in a strange state and guix git authenticate failed even if the commit is a correct descendant of the introductory commit. More info after :
    



An example with one commit after Introductory Commit (fcf50534c7fec17e689597cfaaec9f4cedb397de) :

---
commit 2eddf958be68a5a4df7fd43feb604707472f89a4 (HEAD -> master, origin/master)gpg: Signature faite le mar. 19 nov. 2024 23:05:17 CET
gpg:                avec la clef RSA 41D051592D59A9C07AB4DF25DC55CB6B7043416E
gpg: Bonne signature de « xxx <xxx> » [ultime]
Author: xxx <xxx>
Date:   Tue Nov 19 23:05:17 2024 +0100


    add README


commit fcf50534c7fec17e689597cfaaec9f4cedb397de
gpg: Signature faite le mar. 19 nov. 2024 22:55:40 CET
gpg:                avec la clef RSA 41D051592D59A9C07AB4DF25DC55CB6B7043416E
gpg: Bonne signature de « xxx <> » [ultime]
Author: xxx <>
Date:   Tue Nov 19 22:55:40 2024 +0100


    Introductory commit.
---

In my .git/config i have :

[core]repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true


[remote "origin"]
url = git@codeberg.org:reycoseb/extra-guix-channel.git
fetch = +refs/heads/*:refs/remotes/origin/*


[branch "master"]
remote = origin
merge = refs/heads/master


[guix "authentication"]
introduction-commit = fcf50534c7fec17e689597cfaaec9f4cedb397de
introduction-signer = 41D051592D59A9C07AB4DF25DC55CB6B7043416E
keyring = keyring


[branch "keyring"]
remote = origin
merge = refs/heads/keyring

I use a Yubikey with a specific subkey used to sign :

Signature key ....: 41D0 5159 2D59 A9C0 7AB4  DF25 DC55 CB6B 7043 416E      created ....: 2020-09-01 12:13:40
Encryption key....: 04E1 4065 2E41 C847 4D7F  B0EE D788 9EAF B20E C927
      created ....: 2020-09-01 12:14:39
Authentication key: D57E C3C4 1288 E30D 17C1  290B 1DB9 AAD6 04D0 60C0
      created ....: 2020-09-01 12:15:08


My .guix authorization file :


(authorizations (version 0)               ;current file format version


 (("41D0 5159 2D59 A9C0 7AB4  DF25 DC55 CB6B 7043 416E"
   (name "xxx"))))


When i run guix git authenticate in my master branch, with yubikey activated, i have

Authentification des commits fcf5053 à 2eddf95 (1 nouveaux commits)...guix git: erreur : commit 2eddf958be68a5a4df7fd43feb604707472f89a4 not signed by an authorized key: 41D0 5159 2D59 A9C0 7AB4  DF25 DC55 CB6B 7043 416E


Strange ? Also, the git push command say the same thing. If you have

I use  guix 4c56d0c    URL du dépôt : https://git.savannah.gnu.org/git/guix.git
    branche : master
    commit : 4c56d0cccdc44e12484b26332715f54768738c5f
Best regards,
Sebastien RC.






[-- Attachment #1.1.2.1: Type: text/html, Size: 9014 bytes --]

[-- Attachment #1.2: publickey - s.rey.coyrehourcq@proton.me - 0xC3237850.asc --]
[-- Type: application/pgp-keys, Size: 669 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 249 bytes --]

Re: Strange behavior using guix git authenticate

[Simon Tournier]

Hi Sébastien,

On Fri, 22 Nov 2024 at 18:24, sebastien <ml-dev@reycoyrehourcq.me> wrote:

> Authentification des commits fcf5053 à 2eddf95 (1 nouveaux commits)...guix git: erreur : commit 2eddf958be68a5a4df7fd43feb604707472f89a4 not signed by an authorized key: 41D0 5159 2D59 A9C0 7AB4  DF25 DC55 CB6B 7043 416E

If we speak about [1], I think the mistake comes from a typo in the
name: ’s’ instead of ’z’.

    .guix-authorisations -> .guix-authorizations

Because of that, the procedure ’commit-authorized-keys’ returns an empty
list.

Renaming, does it fix your issue?

That’s said, maybe we could improve the UI by checking these two
requirements for authorization: a file name ’.guix-authorizations’ and a
branch ’keyring’ (although ’keyring’ is a key passed around).

Cheers,
simon

1: https://gitlab.huma-num.fr/gt-notebook/workshop/je_notebook_2024/atelier-bdc-notebooks/gt-guix-doc-channel/-/blob/f0d0930d00afdb62544f15ad69cac1be776ef7bc/.guix-authorisations

Re: Strange behavior using guix git authenticate

[sebastien via Development of GNU Guix and the GNU System distribution.]

[-- Attachment #1.1: Type: text/plain, Size: 1537 bytes --]


Hi Simon,

I'm feeling so stupid, sorry about that ... working late is never a good idea ...

I redo the tutorial and now everything run fine, thanks \o/ !

There is also the "pre-push" hook to change a little because keyring cannot be validated :

git push -f --set-upstream origin keyring --no-verify

Best regards,
SR

Le mercredi 27 novembre 2024 à 7:39 PM, Simon Tournier <zimon.toutoune@gmail.com> a écrit :

> 

> 

> Hi Sébastien,
> 

> On Fri, 22 Nov 2024 at 18:24, sebastien ml-dev@reycoyrehourcq.me wrote:
> 

> > Authentification des commits fcf5053 à 2eddf95 (1 nouveaux commits)...guix git: erreur : commit 2eddf958be68a5a4df7fd43feb604707472f89a4 not signed by an authorized key: 41D0 5159 2D59 A9C0 7AB4 DF25 DC55 CB6B 7043 416E
> 

> 

> If we speak about [1], I think the mistake comes from a typo in the
> name: ’s’ instead of ’z’.
> 

> .guix-authorisations -> .guix-authorizations
> 

> 

> Because of that, the procedure ’commit-authorized-keys’ returns an empty
> list.
> 

> Renaming, does it fix your issue?
> 

> That’s said, maybe we could improve the UI by checking these two
> requirements for authorization: a file name ’.guix-authorizations’ and a
> branch ’keyring’ (although ’keyring’ is a key passed around).
> 

> Cheers,
> simon
> 

> 1: https://gitlab.huma-num.fr/gt-notebook/workshop/je_notebook_2024/atelier-bdc-notebooks/gt-guix-doc-channel/-/blob/f0d0930d00afdb62544f15ad69cac1be776ef7bc/.guix-authorisations

[-- Attachment #1.2: publickey - s.rey.coyrehourcq@proton.me - 0xC3237850.asc --]
[-- Type: application/pgp-keys, Size: 669 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 249 bytes --]

Re: Strange behavior using guix git authenticate

[Attila Lendvai]

> An example with one commit after Introductory Commit (fcf50534c7fec17e689597cfaaec9f4cedb397de) :

i suspect you may have been surprised by what's described (and fixed) in this unmerged patch:

https://issues.guix.gnu.org/50814

in short: git authenticate doesn't check anything on the intro commit, just takes it as-is. so, if your setup is broken, then it only complains for the *second* commit.

if enough time passes between the two commits, then it can cause quite some time-waste for the surprised padawans. well, or at least for padawans like yours truly.

-- 
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“Your task is not to seek for love, but merely to seek and find all the barriers within yourself that you have built against it.”
	— Rumi (1207–1273)