[bug#50814] [PATCH] guix: git-authenticate: Also authenticate the channel intro commit.

["Ludovic Courtès" <ludo@gnu.org>]

Hi Attila,

Attila Lendvai <attila@lendvai.name> skribis:

> * guix/git-authenticate.scm (authenticate-commit): Reword and extend the error
> message to point to the relevant part of the manual.
> (authenticate-repository): Explicitly authenticate the channel introduction
> commit, so that it's also rejected unless it is signed by an authorized
> key. Otherwise only the second commit would yield an error, which
> is confusing.

This behavior is intentional and documented (info "(guix) Specifying
Channel Authorizations"):

     Channel introductions answer these questions by describing the first
  commit of a channel that should be authenticated.  The first time a
  channel is fetched with ‘guix pull’ or ‘guix time-machine’, the command
  looks up the introductory commit and verifies that it is signed by the
  specified OpenPGP key.  From then on, it authenticates commits according
  to the rule above.

  […]

     The channel introduction, as we saw above, is the commit/key
     pair—i.e., the commit that introduced ‘.guix-authorizations’, and
     the fingerprint of the OpenPGP used to sign it.

By definition, parent commits of the introduction do not (not
necessarily) provide ‘.guix-authorizations’.  So there’s nothing to be
done here, other than checking that the introductory commit is indeed
signed by the key specified in the introduction.

Does that make sense?

(Other patches you posted in this thread might be useful though, but we
can discuss them independently.)

Thanks,
Ludo’.

PS: If you haven’t already, you can take a look at the following pages
    for more on the design rationale:

      https://guix.gnu.org/en/blog/2020/securing-updates/
      https://issues.guix.gnu.org/22883#69