From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 2P+oEAyfYWEGEAEAgWs5BA (envelope-from ) for ; Sat, 09 Oct 2021 15:54:20 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id gONYDAyfYWGpDAAAB5/wlQ (envelope-from ) for ; Sat, 09 Oct 2021 13:54:20 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 83425D6FB for ; Sat, 9 Oct 2021 15:54:19 +0200 (CEST) Received: from localhost ([::1]:46046 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mZCno-0003Je-S1 for larch@yhetil.org; Sat, 09 Oct 2021 09:54:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36546) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZCna-0003JE-CI for guix-patches@gnu.org; Sat, 09 Oct 2021 09:54:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:40965) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mZCna-00087o-4E for guix-patches@gnu.org; Sat, 09 Oct 2021 09:54:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mZCna-00063s-0o for guix-patches@gnu.org; Sat, 09 Oct 2021 09:54:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#50814] [PATCH] guix: git-authenticate: Also authenticate the channel intro commit. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 09 Oct 2021 13:54:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 50814 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Attila Lendvai Cc: 50814@debbugs.gnu.org Received: via spool by 50814-submit@debbugs.gnu.org id=B50814.163378761423266 (code B ref 50814); Sat, 09 Oct 2021 13:54:01 +0000 Received: (at 50814) by debbugs.gnu.org; 9 Oct 2021 13:53:34 +0000 Received: from localhost ([127.0.0.1]:52511 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZCn7-00063C-QX for submit@debbugs.gnu.org; Sat, 09 Oct 2021 09:53:34 -0400 Received: from eggs.gnu.org ([209.51.188.92]:34574) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mZCn6-00062x-0K for 50814@debbugs.gnu.org; Sat, 09 Oct 2021 09:53:32 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:55238) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mZCn0-00085Q-Np; Sat, 09 Oct 2021 09:53:26 -0400 Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:59224 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mZCn0-00086Z-D6; Sat, 09 Oct 2021 09:53:26 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20210926101928.3877-1-attila@lendvai.name> Date: Sat, 09 Oct 2021 15:53:24 +0200 In-Reply-To: <20210926101928.3877-1-attila@lendvai.name> (Attila Lendvai's message of "Sun, 26 Sep 2021 12:19:29 +0200") Message-ID: <878rz2xq23.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1633787659; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=cszrVGj5LvKvDBiXEMiffbtkyOuOMM7hFBuf09D5Ork=; b=Itd4HKfx1ZPBDYGeg6abkl9mD8dvXmAwyLkkdkx9cxFfxyphMImc9AzysxNnqjhn8soQ4J FPaeankoZtNpSD3cpsW2j/6T/hKdOe5KI5YJuykzYAKBXrAHkJkfN7jTjhI+iJxke+pAJz A6afoDsAnu0nExFsevG12C44cP05/3ErhXjXexSCTD2ZVxv9FpFu9z6CKqvTKWGFYdiXxY 6GGSMgO3n+zZpJFgsER5wBIZ3XlC7hHu6kY9fvfSq6xvhqe71gmBDQ5+BoerLhF0aCY9uW SBLY04YKTF3pK/Tev15zG67KTnJInDMqJQcpaQrXmTUpeRWgtNeKo+DkILgoLA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1633787659; a=rsa-sha256; cv=none; b=FuWJY71nOFrniU4ZF8bR5TyRKvTwluJunH0xvec10eK89LWX/38sAs8z2TySdnCMOhYKpU OPSZLxA3ygYex/32I06mTRw+PGubIRnup2G7jLxdTplUUdx3U3rNGF6ew+BQs4gseVQb3D w0m73LNdfitPWMZKqlpBaq12YEEklZYYAOVRWzLuTze5eR8c/SMpTN3dxe0gaKkiSL8gSU NSvfD9EkB1+ebwvImja6AbuzgOLhOIVfSXEOzE4uv5vdjcaLPkQ7xEpOuT1snjWriZZ39N kFT5S2Jt29HriK1SR0HyCu9zPSerCw8tDjhEz3KL1gzW96MRz6AyMW4eeoX38w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.91 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 83425D6FB X-Spam-Score: -2.91 X-Migadu-Scanner: scn0.migadu.com X-TUID: RveU22l343/E Hi Attila, Attila Lendvai skribis: > * guix/git-authenticate.scm (authenticate-commit): Reword and extend the = error > message to point to the relevant part of the manual. > (authenticate-repository): Explicitly authenticate the channel introducti= on > commit, so that it's also rejected unless it is signed by an authorized > key. Otherwise only the second commit would yield an error, which > is confusing. This behavior is intentional and documented (info "(guix) Specifying Channel Authorizations"): Channel introductions answer these questions by describing the first commit of a channel that should be authenticated. The first time a channel is fetched with =E2=80=98guix pull=E2=80=99 or =E2=80=98guix time= -machine=E2=80=99, the command looks up the introductory commit and verifies that it is signed by the specified OpenPGP key. From then on, it authenticates commits according to the rule above. [=E2=80=A6] The channel introduction, as we saw above, is the commit/key pair=E2=80=94i.e., the commit that introduced =E2=80=98.guix-authoriza= tions=E2=80=99, and the fingerprint of the OpenPGP used to sign it. By definition, parent commits of the introduction do not (not necessarily) provide =E2=80=98.guix-authorizations=E2=80=99. So there=E2= =80=99s nothing to be done here, other than checking that the introductory commit is indeed signed by the key specified in the introduction. Does that make sense? (Other patches you posted in this thread might be useful though, but we can discuss them independently.) Thanks, Ludo=E2=80=99. PS: If you haven=E2=80=99t already, you can take a look at the following pa= ges for more on the design rationale: https://guix.gnu.org/en/blog/2020/securing-updates/ https://issues.guix.gnu.org/22883#69