From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id yLzKGZ/O314nEQAA0tVLHw (envelope-from ) for ; Tue, 09 Jun 2020 18:02:07 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id mV3FFZ/O317dNgAAB5/wlQ (envelope-from ) for ; Tue, 09 Jun 2020 18:02:07 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B8586940363 for ; Tue, 9 Jun 2020 18:02:06 +0000 (UTC) Received: from localhost ([::1]:51714 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jiiZX-00028k-Jo for larch@yhetil.org; Tue, 09 Jun 2020 14:02:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57108) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jiiNu-0002PA-4v for guix-patches@gnu.org; Tue, 09 Jun 2020 13:50:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:49307) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jiiNt-00071F-Lq for guix-patches@gnu.org; Tue, 09 Jun 2020 13:50:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jiiNt-0007Si-Ht for guix-patches@gnu.org; Tue, 09 Jun 2020 13:50:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41767] [PATCH 4/9] channels: 'latest-channel-instance' authenticates Git checkouts. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 09 Jun 2020 17:50:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41767 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 41767@debbugs.gnu.org Received: via spool by 41767-submit@debbugs.gnu.org id=B41767.159172497628646 (code B ref 41767); Tue, 09 Jun 2020 17:50:01 +0000 Received: (at 41767) by debbugs.gnu.org; 9 Jun 2020 17:49:36 +0000 Received: from localhost ([127.0.0.1]:60853 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jiiNU-0007Ry-7t for submit@debbugs.gnu.org; Tue, 09 Jun 2020 13:49:36 -0400 Received: from mail-qk1-f194.google.com ([209.85.222.194]:46640) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jiiNS-0007Rk-Bs for 41767@debbugs.gnu.org; Tue, 09 Jun 2020 13:49:34 -0400 Received: by mail-qk1-f194.google.com with SMTP id c12so21633756qkk.13 for <41767@debbugs.gnu.org>; Tue, 09 Jun 2020 10:49:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=+uRnAMB3BVNB7U4RAL9Rl7nf5iLq+MU43lcFJDUhzHE=; b=mKquSpswMGX15rmrpqzcZSY0MI9pheZ9waM9+C2MKJnIS2l9mjH56NkG3iZT5U5zOH nvUfhIfMxbZJJhuP/VxfKDHhcSneKQqLmuLU6Q+camGuSkGNTuXNI5y9KzV8AxZtkASE ha7VLFiZTWvjXlp6yCH05LckyjA8ovE4nhOBpM+8FP92jndDxfMYbS0FpWQVy6FXzGeg YbQ6whZTXcBm9RKxzAYYLe0QYg7CPXLSw2XqYapU1vUygPB2Y+FWSrtTjWspJ12HdV1i GXFUJS/uUoagc5eTzUZSRIEhDryxD5N65ewLYow3wqaAkH11d1g8YABs4IKG3EzgiwZD 1EbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=+uRnAMB3BVNB7U4RAL9Rl7nf5iLq+MU43lcFJDUhzHE=; b=N8s1+VmDQ3hvltneMyB7uDB+K8Dew5u/5I1hWBIw8LqHpCzGMQ3kxqk/BaGAqHLq4D pnfsbRXx8Q3A1BeyXNFiUvhvtj2Y7EHl3hmhAIyvLkyfcf0bJNwTiOu+nxpp7nV10eiQ fRZVYarwU2/FNyyi5aeHgfIavzm4iNXNnnc7eGROVCUwvsQcN308aszvfrXwOOTR6Jwu IGcy8hvLxXFgz8gE2BWUq8o1q4IhlBjMEnrBcFNZazyR/yvtCPZiwhXl9w0Q3hDviUDe sSul9T1dw6u5c+yxbLKmLtkGs7moniJIggnR4Hx98PFnXJW/2P7rNYNmHepB+ES//TCx h3MQ== X-Gm-Message-State: AOAM531S89GRDW1pHYBpjjnv7HnYSNaCrws6ZMyuFsVa942CbPmJA11Z 10vcTTsaKO1L/u0BGYYUPyogNJvCkQY= X-Google-Smtp-Source: ABdhPJwvcwkLY/tF272LrydxNcSbyfRuzAcyp+nyS5CrUjxX/+mCuCKP7TvxnuhASe//YR2veaRHsg== X-Received: by 2002:a37:9684:: with SMTP id y126mr20581506qkd.348.1591724966818; Tue, 09 Jun 2020 10:49:26 -0700 (PDT) Received: from hurd (dsl-152-235.b2b2c.ca. [66.158.152.235]) by smtp.gmail.com with ESMTPSA id p25sm11225426qtj.18.2020.06.09.10.49.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2020 10:49:25 -0700 (PDT) From: Maxim Cournoyer References: <20200608220256.3267-1-ludo@gnu.org> <20200608220256.3267-4-ludo@gnu.org> Date: Tue, 09 Jun 2020 13:49:24 -0400 In-Reply-To: <20200608220256.3267-4-ludo@gnu.org> ("Ludovic \=\?utf-8\?Q\?Cour\?\= \=\?utf-8\?Q\?t\=C3\=A8s\=22's\?\= message of "Tue, 9 Jun 2020 00:02:51 +0200") Message-ID: <87v9k0i0yj.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=gmail.com header.s=20161025 header.b=mKquSpsw; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -0.51 X-TUID: UZ7QyS1gh3NL --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello! Ludovic Court=C3=A8s writes: > Fixes . [...] > +;; Channel introductions. A "channel introduction" provides a commit/si= gner > +;; pair that specifies the first commit of the authentication process as= well > +;; as its signer's fingerprint. The pair must be signed by the signer o= f that > +;; commit so that only them may emit this introduction. Introductions a= re > +;; used to bootstrap trust in a channel. > +(define-record-type > + (make-channel-introduction first-signed-commit first-commit-signer > + signature) > + channel-introduction? > + (first-signed-commit channel-introduction-first-signed-commit) ;hex s= tring > + (first-commit-signer channel-introduction-first-commit-signer) ;bytev= ector > + (signature channel-introduction-signature)) ;string > + > +(define %guix-channel-introduction > + ;; Introduction of the official 'guix channel. The chosen commit is t= he > + ;; first one that introduces '.guix-authorizations' on the 'core-updat= es' > + ;; branch that was eventually merged in 'master'. Any branch starting > + ;; before that commit cannot be merged or it will be rejected by 'guix= pull' > + ;; & co. > + (make-channel-introduction > + "87a40d7203a813921b3ef0805c2b46c0026d6c31" > + (base16-string->bytevector > + (string-downcase > + (string-filter char-set:hex-digit ;mbakke > + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA"= ))) > + #f)) ;TODO: Add an intro signature so it can be exp= orted. The GnuPG key fingerprint is SHA1 derived, which isn't cryptographically secure. This doesn't mean fingerprints are unsafe *now* (given that forging a key to match it isn't currently practical), but I don't think we should create something *today* that relies on SHA1 for trust. My point is made moot by the fact that Git uses SHA1 too... but that's another issue. Just saying, but not blocking or requesting change, as I don't have a good solution for that, short of patching GnuPG and Git. [...] > + ;; When COMMITS is empty, it's either because AUTHENTICATED-COMMITS > + ;; contains END-COMMIT or because END-COMMIT is not a descendant of > + ;; START-COMMIT. Check that. > + (if (null? commits) > + (match (commit-relation start-commit end-commit) > + ((or 'self 'ancestor 'descendant) #t) ;nothing to do! > + ('unrelated > + (raise > + (condition > + (&message > + (message > + (format #f (G_ "'~a' is not related to introductory \ > +commit of channel '~a'~%") > + (oid->string (commit-id end-commit)) > + (channel-name channel)))))))) > + (begin > + (format (current-error-port) > + (G_ "Authenticating channel '~a', \ > +commits ~a to ~a (~h new commits)...~%") > + (channel-name channel) > + (commit-short-id start-commit) > + (commit-short-id end-commit) > + (length commits)) > + > + ;; If it's our first time, verify CHANNEL's introductory commi= t. > + (when (null? authenticated-commits) > + (verify-introductory-commit repository > + (channel-introduction channel) > + keyring)) > + > + (call-with-progress-reporter reporter > + (lambda (report) > + (authenticate-commits repository commits > + #:keyring keyring > + #:report-progress report))) > + > + (unless (null? commits) That condition is already checked above, but OK to be defensive. > + (cache-authenticated-commit cache-key > + (oid->string > + (commit-id end-commit)))))))) > + > (define* (latest-channel-instance store channel > #:key (patches %patches) > starting-commit) > @@ -225,6 +387,14 @@ relation to STARTING-COMMIT when provided." > (update-cached-checkout (channel-url channel) > #:ref (channel-reference channel) > #:starting-commit starting-commi= t))) > + (if (channel-introduction channel) > + (authenticate-channel channel checkout commit) > + ;; TODO: Warn for all the channels once the authentication inter= face > + ;; is public. > + (when (guix-channel? channel) > + (warning (G_ "the code of channel '~a' cannot be authenticated= ~%") > + (channel-name channel)))) > + Perhaps the warning message could say why. [...] > +(unless (gpg+git-available?) (test-skip 1)) > +(test-assert "authenticate-channel, wrong first commit signer" > + (with-fresh-gnupg-setup (list %ed25519-public-key-file > + %ed25519-secret-key-file > + %ed25519bis-public-key-file > + %ed25519bis-secret-key-file) > + (with-temporary-git-repository directory > + `((add ".guix-channel" > + ,(object->string > + '(channel (version 0) > + (keyring-reference "master")))) > + (add ".guix-authorizations" > + ,(object->string > + `(authorizations (version 0) > + ((,(key-fingerprint > + %ed25519-public-key-file) > + (name "Charlie")))))) > + (add "signer.key" ,(call-with-input-file %ed25519-public-key-f= ile > + get-string-all)) > + (commit "first commit" > + (signer ,(key-fingerprint %ed25519-public-key-file)))) > + (with-repository directory repository > + (let* ((commit1 (find-commit repository "first")) > + (intro ((@@ (guix channels) make-channel-introduction) > + (commit-id-string commit1) > + (openpgp-public-key-fingerprint > + (read-openpgp-packet > + %ed25519bis-public-key-file)) ;different key > + #f)) ;no signature > + (channel (channel (name 'example) > + (url (string-append "file://" directory= )) > + (introduction intro)))) > + (guard (c ((message? c) > + (->bool (string-contains (condition-message c) > + "initial commit")))) > + (authenticate-channel channel directory > + (commit-id-string commit1) > + #:keyring-reference-prefix "") > + 'failed)))))) Eh, I like what you did there :-) Very expressive way to setup your test environment. So far LGTM. Maxim --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEJ9WGpPiQCFQyn/CfEmDkZILmNWIFAl7fy6QACgkQEmDkZILm NWIY3w//cExy21EH0TSHwdPyMy33kTkadvR+GVzebHRC8E5K/NmjFIjqc9XcDQqX ersa+kje4dbcz312JRmPoY/Ouhe7ZWXQN9Zpa8WicGAWT96y6Uy1gbkFJWKMFLoU FlWXVdSayBvC2f9hc0DdtcyKnHPyhTq2DiUNNWOk7dssU71oui7N8AkmmrMx3Utj KSURx3v3p0WkORprCIUoFNhF4xfxNjKj2vnrzs+HxPQCSoV/+IL2LJJ0IqffuUoc sAv2mskYUJFoo5Weq1RvwL9GdwzhNYzjagrzoyvf03jPpfJF/yhihk/LXkYQjHDI cj9CpIhEeJNEvnK/n6PfXUwG2lCRHnZ0s5p8DPT66cgE3U4BeWi7mWLYB2wj6qDq +/NkirVUZnHt8HB0ZOfqUBp0yGzAymAJtahMxPmw9ViCnctBDhsQ4wKLV/Y/BHrP lEhUO9lmDDqW78ISUh92bMo2SrDIELHLm4eUmlyz5V5XQkQe6vWWr4UY2OynIy/9 Djm+j/fPdRhVT2hmhkXrww/7D+kIzrC0GZ/Gh0Yfe59uAnQixFa+iGo402PNBfzM mx0EJFQunYMsclk7L6W1ixTNsOojMfgoejS/Jf35L2o8anoypueBYFTRgRMmdvrx NFWVEY8yM5TviRx0tIgyD4EDdO1WIEe7XqUHM1Mk23jR2+wNC34= =iEWC -----END PGP SIGNATURE----- --=-=-=--