From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 1H3rDwm5UGE/2QAAgWs5BA (envelope-from ) for ; Sun, 26 Sep 2021 20:16:41 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id UtHlCgm5UGFRGAAAbx9fmQ (envelope-from ) for ; Sun, 26 Sep 2021 18:16:41 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AE63D829C for ; Sun, 26 Sep 2021 20:16:40 +0200 (CEST) Received: from localhost ([::1]:43220 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mUYhb-0007TT-Sl for larch@yhetil.org; Sun, 26 Sep 2021 14:16:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55850) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mUYh0-000772-L1 for guix-patches@gnu.org; Sun, 26 Sep 2021 14:16:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55443) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mUYh0-0006LH-Dl for guix-patches@gnu.org; Sun, 26 Sep 2021 14:16:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mUYh0-000209-8Z; Sun, 26 Sep 2021 14:16:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#50814] [PATCH] guix: git-authenticate: Also authenticate the channel intro commit. Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 26 Sep 2021 18:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 50814 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Attila Lendvai , 50814@debbugs.gnu.org Received: via spool by 50814-submit@debbugs.gnu.org id=B50814.16326801074492 (code B ref 50814); Sun, 26 Sep 2021 18:16:02 +0000 Received: (at 50814) by debbugs.gnu.org; 26 Sep 2021 18:15:07 +0000 Received: from localhost ([127.0.0.1]:38756 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mUYg7-0001A1-Bj for submit@debbugs.gnu.org; Sun, 26 Sep 2021 14:15:07 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:44558) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mUYg5-00016L-4C for 50814@debbugs.gnu.org; Sun, 26 Sep 2021 14:15:06 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by baptiste.telenet-ops.be with bizsmtp id yiF3250030mfAB401iF3VW; Sun, 26 Sep 2021 20:15:03 +0200 Message-ID: <2b0173cc9809ab1e806bf0061fc28a9a85dda6e0.camel@telenet.be> From: Maxime Devos In-Reply-To: <20210926101928.3877-1-attila@lendvai.name> References: <20210926101928.3877-1-attila@lendvai.name> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-T0Rmxvr6JckLDOp1J0l6" Date: Sun, 26 Sep 2021 20:14:41 +0200 MIME-Version: 1.0 User-Agent: Evolution 3.34.2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1632680103; bh=zxVmm4eG/ck84kdFcjH5tFLJ0LwR2202hAvXv07WDRg=; h=Subject:From:To:In-Reply-To:References:Date; b=cV6qyMECT7m0d20FcLiv8Pjc9r5O3ksXeD2SS/Q+5rLFopHf/lVtDRvjjELsJXRjU MI7aZsJt8ib3laqa6q4sBFRaZ9ELdMLRquB0xpwbJ+9PdFBM4cK289vz6Gb9LSuxCN so33Cp9rUdM5Vy+aeKVECktAM9WF0L8OfHeRYTVbW7cxDwx3Jgp2JFuzBp5F6VX3LH YFLTAsPot7dsFieCuKCPs1IYI3fyhBl7zMMwNcFOcraQhfTaKL6lx2SAxAMTGFXR8c SZnVnnoxOOqAgnZGnYRCg6Nz3A8VUXuVJOhmwIHHGYUBrIt3R/3bP6u94rm8scVjTp 81Olo6d3Mx7pw== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1632680200; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=zxVmm4eG/ck84kdFcjH5tFLJ0LwR2202hAvXv07WDRg=; b=eShqG/QlN3I2Fihi3amH3/bnBkOFSDp1WODIq4+q9rIEuAVeJ6uLkC6c/InUjVw5nQmZ/m T//arkx4C8LqfwMdC3LOrmkTG18v5tpZmCze6ZOh6H3vS0+PpijEqK1VQko6FEEyeLry+0 ak24Hbq4w0NBDfVLZjCKdjLKeiDoYqyrWczVZVz+uwjHCUFbnKEarSglNnoIZMVdt99MLl u6Qw+kJ/c1Yv4K2qBMENcFf+nei8cf4/OIgvpM2DeBee6oOjbdP19R0LwTnWCIcv9ABrGK ReWslvhVtJwvdu35RfvzR/vIJcrKeic2C0iW/x+p0KYEvKzfhzaRNFVIt7eCwQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1632680200; a=rsa-sha256; cv=none; b=dFMdOcLaXXq8WQiaQ6GuWwMBvzU6RB31G1lufgjJQrBnnLZYR2j/sJ/dZsDhzEDQSVRnKe OocU/namfzgcBQLw/lQZLO2MDnniDTS0vPU5RO3zmG71385tdpNEiOFe23vbsD1vrZ0rl9 0WQgZGUZV/3OMShQIhDq3+tYnAOSRRCE0y0uXTn0jwLOqOiZkePN0Pgcl4gr6u0x/fUqG5 7fBAluk+pXerWuzfsxqyCHa7lK7UdruiaNEowljeUeg0v1u4xjWYNPlmt/Pu8KequCVK/u 4QIjNOLJJNRvzQdj509nTfqpbqIgOZEsmrDpuWn9NKgcia+yltzvMYjaj8v6Ig== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=cV6qyMEC; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -3.39 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=cV6qyMEC; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: AE63D829C X-Spam-Score: -3.39 X-Migadu-Scanner: scn0.migadu.com X-TUID: gKq6WbQP4SBp --=-T0Rmxvr6JckLDOp1J0l6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Attila Lendvai schreef op zo 26-09-2021 om 12:19 [+0200]: > * guix/git-authenticate.scm (authenticate-commit): Reword and extend the = error > message to point to the relevant part of the manual. > (authenticate-repository): Explicitly authenticate the channel introducti= on > commit, so that it's also rejected unless it is signed by an authorized > key. Otherwise only the second commit would yield an error, which > is confusing. > --- >=20 > here's how i tested this: >=20 > i set up pulling from a local checkout of guix. > in that branch i created a signed dummy commit, and added it as a channel > introduction, replacing guix in my /etc/guix/channels.scm. then tried to > guix pull, which worked. >=20 > then i added another dummy commit, which resulted in an error when pullin= g. >=20 > then i reset the branch back to only contain the first commit, and added > this code that then resulted in an error even with a single commit. >=20 > i have encountered it while i was trying to set up my local checkout to > test my patches on my live guix, and i was utterly confused why my commit > was rejected as unauthenticated (i misunderstood how git-authenticate > works). >=20 > guix/git-authenticate.scm | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) >=20 > diff --git a/guix/git-authenticate.scm b/guix/git-authenticate.scm > index ab3fcd8b2f..7d66bf0754 100644 > --- a/guix/git-authenticate.scm > +++ b/guix/git-authenticate.scm > @@ -236,8 +236,8 @@ not specify anything, fall back to DEFAULT-AUTHORIZAT= IONS." > (condition > (&unauthorized-commit-error (commit id) > (signing-key signing-key))) > - (formatted-message (G_ "commit ~a not signed by an authorize= d \ > -key: ~a") > + (formatted-message (G_ "commit ~a is signed by an unauthoriz= ed \ > +key: ~a\nSee info guix \"Specifying Channel Authorizations\".") > (oid->string id) > (openpgp-format-fingerprint > (openpgp-public-key-fingerprint > @@ -424,7 +424,12 @@ denoting the authorized keys for commits whose paren= t lack the > ;; If it's our first time, verify START-COMMIT's signature. > (when (null? authenticated-commits) > (verify-introductory-commit repository keyring > - start-commit signer)) > + start-commit signer) > + ;; Explicitly authenticate the channel introduction commit, so= that > + ;; it's also rejected unless it's signed by an authorized > + ;; key. Otherwise only the second commit would yield an error,= which > + ;; is confusing. > + (authenticate-commits repository (list start-commit))) Could you add a test to tests/git-authenticate.scm, verifying the right com= it is reported? (Maybe use unauthorized-commit-error?, guard and authenticate-repository.) I'm not sure explicitely validating the start commit is sufficient. What h= appens in the following scenario: (Order of commits) 0. start commit 1. valid (already authenticated?) commit 2. invalid commit 3. invalid commit Is commit 2 reported, or commit 3 reported? I think commit 2 should be rep= orted, but from your messages on IRC, I think you saw commit 3 being reported? Greetings, Maxime. --=-T0Rmxvr6JckLDOp1J0l6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYVC4iRccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7qZjAQDP3PxstiQvdEIYogONKEK5cV7Y S23cCMA+zr00wECX8wD/XEJ4PwOOlWjmfQV/hRD+r63hwNgnMXiUr4JTHicpRwc= =F26d -----END PGP SIGNATURE----- --=-T0Rmxvr6JckLDOp1J0l6--