From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id yG0WE7If9WLgHAAAbAwnHQ (envelope-from ) for ; Thu, 11 Aug 2022 17:26:42 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id ULs8ErIf9WKGVgAAG6o9tA (envelope-from ) for ; Thu, 11 Aug 2022 17:26:42 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0D8FE3F166 for ; Thu, 11 Aug 2022 17:26:41 +0200 (CEST) Received: from localhost ([::1]:58866 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oMA52-0005jc-Qc for larch@yhetil.org; Thu, 11 Aug 2022 11:26:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46400) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oMA4E-0005i5-3P for guix-devel@gnu.org; Thu, 11 Aug 2022 11:25:51 -0400 Received: from mail-0201.mail-europe.com ([51.77.79.158]:54350) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oMA4B-0008E4-Js for guix-devel@gnu.org; Thu, 11 Aug 2022 11:25:49 -0400 Date: Thu, 11 Aug 2022 15:25:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1660231536; x=1660490736; bh=S7gZnpUUIIenJ88SCSbqKvTlnTrBEuYDlsKi9hMvu+I=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=CIpnzKhrUNAN5xb3SbkAFXtWMDVdqMFFH4V5qww1jqMFVRXNLfbBClXZtdhLxzfA4 YkkSandoDWwYZ2me38+JVqTG5TEVRGE10uEg8hAzxBmFeEMTwRZyGD2z3KwF75IMjZ cLKGH2GXXUsJFoutmS/5atllq6qfqD5iHpXBMAfy9CcQriUBYC/SsQo3og8foHo0OI ooZU36VjOSl68+UOAhQeNG/5HQiroZPm3pqcaHphQC6+SD2/wSSBBy4oONi6benQLo xLGQnZ0HnOWKc6hUGWs/LfgX67qgcvRK0JlxrPizdG6PVD2WkauBOJ8lmXhNPhNK4g wOnVkAdoY7BSw== To: Andrew Tropin From: John Kehayias Cc: guix-devel@gnu.org, Maxime Devos , Tobias Geerinckx-Rice , Efraim Flashner , =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations Message-ID: In-Reply-To: <46ba22ef-6b47-fec0-5397-64401f5c7983@telenet.be> References: <87tu6idfgd.fsf@trop.in> <46ba22ef-6b47-fec0-5397-64401f5c7983@telenet.be> Feedback-ID: 7805494:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=51.77.79.158; envelope-from=john.kehayias@protonmail.com; helo=mail-0201.mail-europe.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: John Kehayias Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1660231602; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=S7gZnpUUIIenJ88SCSbqKvTlnTrBEuYDlsKi9hMvu+I=; b=KKdmLFYk1EVzZWFVWD+jObbw9MfNbRlOCcmNO+GaST0wYbSjuSVaR2C469aYoz7KrW3KRu rovzaCT0hsxx6ELB54w80VvRSQLV71FeHdDiREpM4SE7gSABK+ajAuC8wA0qug3ojqK/nG HThd1DS5/DxJiyr+58qvTPpAdDiMfMWaHqi/jFfqb6dlYRy+2LZiPKEo7WwIVOdC76n7HV 8+ZdFfk+a78s2jB4SZf6JfM+LIuYg0CZGt65Cs9ns9QPnFCn/EtZLg5IFD8Db32obDqd4o FSBIgK/yofFQiABrdEm5LxjKB1nH0pF9wW0p1RowesI2bCO2K6zqG49YBWuhVw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1660231602; a=rsa-sha256; cv=none; b=Ca1eyC4N6wlyetNkFtW1HcODDMwa4sCs1WyAOgnh4RWczkxIGszEWdyotkQVfBgIFxZB9E bZ7fPM0/WhVqpA+vWdq6aP+HZvTLby3vlxXM9XgHb4x5AmD8N0DviZ/8RpVOFfA7HbosRU x/sdn15Jf2tJkaMh5k0s7WMaAMu0QUOEv78WqyRGehHLx76AW25ocKe7WDlZJ/Nt0PzRpa urNXoaqVXXv1BgdWpnh8s1i14EnQSIRmq0zWgVJEayViFa0GKjzgI4EyTZemxnT0i6UQnk 1F6qaR9UzjlW4lG1st3I6SmyIubqZ+AR1qoGIw4M6s7N0WcZ4JmXCXb9EE5yrQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=protonmail.com header.s=protonmail3 header.b=CIpnzKhr; dmarc=pass (policy=quarantine) header.from=protonmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -5.68 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=protonmail.com header.s=protonmail3 header.b=CIpnzKhr; dmarc=pass (policy=quarantine) header.from=protonmail.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 0D8FE3F166 X-Spam-Score: -5.68 X-Migadu-Scanner: scn0.migadu.com X-TUID: xFO1XIIsSVG0 Hi everyone, Thanks for this write-up and discussion Andrew. I'm also following along in= [0] but I'll just chime in here for now. When I saw this I was worried since I also "just" use subkeys, meaning for = all signing etc. only my subkey is used. These are set to expire each year = and then I renew them. For places like GitLab/Hub, this requires deleting t= he public key and re-adding it after I renew keys. Old commits still show a= s verified. Anyway, that's my basic usage and I was worried that I would break a (third= party) Guix channel when I was added as a committer. Indeed, that is what = just happened, with the same steps: my primary key fingerprint was added to= .guix-authorizations. GitLab was happy enough verifying the (subkey signed= ) commits, and even Cuirass would get the commits and build them. (Side not= e: does Cuirass not do guix pull? Why would it not fail to pull just as a u= ser?) All that is to say that I think the use case of someone only using subkeys = is valid and one we could expect and should handle. Now, the correct and be= st way to do that, especially with things like time-travel, I don't know. I= just wanted to note that I think only expecting the primary key (rather th= an subkeys) is limiting. Finally, as a concrete example of this usage, I manage my keys with a hardw= are key (YubiKey) and followed this [1] guide to setting up with subkeys th= at I renew regularly. The primary key isn't really used for much and I thin= k this works well, all I manage is renewal every so often.=20 [0] https://issues.guix.gnu.org/57091=20 [1] https://github.com/drduh/YubiKey-Guide John