Re: bug#22883: Authenticating Git checkouts: step #1

[Efraim Flashner <efraim@flashner.co.il>]

[-- Attachment #1: Type: text/plain, Size: 3253 bytes --]

On Sat, Dec 28, 2019 at 06:45:34PM -0800, Vagrant Cascadian wrote:
> On 2019-12-27, Ricardo Wurmus wrote:
> >>   b3011dbbd2 doc: Mention "make authenticate".
> >>   787766ed1e git-authenticate: Keep a local cache of previously-authenticated commits.
> >>   785af04a75 git: 'commit-difference' takes a list of excluded commits.
> >>   1e43ab2c03 Add 'build-aux/git-authenticate.scm'.
> >>
> >> Commit 787766ed1e takes care of caching (one of the limitations I
> >> mentioned in my previous message).
> >>
> >> Commit b3011dbbd2 adds instructions for contributors on how to
> >> authenticate a checkout (copied below).  It’s a bit bumpy so I would
> >> very much welcome feedback and suggestions on how to improve this!
> >
> > This is great!
> 
> Yes! Yes!
> 
> 
> > Thank you for the instructions.  I thought I had all keys, but
> > apparently at least one of them is missing.  “make authenticate” fails
> > for me with this error:
> >
> > Throw to key `srfi-34' with args `(#<condition &message [message: "could not authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key B943509D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'.
> >
> > I previously downloaded the gpg keyring from Savannah:
> >
> >     https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix
> >
> > Looks like Hartmut used to use a different key, which I don’t have.
> 
> I got this too, and manually worked around it by downloading
> guix-keyring.gpg from:
> 
>   https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1
> 
> And running:
> 
>   gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/guix.kbx --import ~/guix-keyring.gpg
> 

Thanks for the hint. I started with importing the keyring into my normal
keyring but I see now we have another keyring for this specifically.

(another being the user default, ~/.config/guix/upstream/trustedkeys.kbx
and now this one)

> It seems to be working now... how is the keyring *supposed* to be
> populated? Before I manually imported guix-keyring.gpg into guix.kbx,
> there were a very small number of keys present.
> 
> 
> It's a little awkward that it uses the fingerprint of the signing key
> rather than the primary key, as by default things like "gpg --list-keys"
> do not display the fingerprint of signing keys, only the primary key, so
> it is an adventure in gpg commandline options to correlate them.
> 
> "gpg log --show-signature" also reports the the primary key fingerprint,
> if the key is available in the keyring, and only the subkey fingerprint
> for unknown keys if I remember correctly.
> 
> It would be nice if the statistics would display the primary uid
> instead, as it is something a little more human readable, and the
> primary key fingerprint, as it is a little easier to find. :)
> 
> 
> I'm hoping the eventual goal is to integrate this into guix pull?
> 
> 
> Very nice to see progress on this issue!
> 
> 
> live well,
>   vagrant



-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]