From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: Re: bug#22883: Authenticating Git checkouts: step #1 Date: Sun, 29 Dec 2019 09:34:32 +0200 Message-ID: <20191229073432.GY23018@E5400> References: <87io14sqoa.fsf@dustycloud.org> <87tvnemfjh.fsf@aikidev.net> <871sab7ull.fsf@gnu.org> <87zhwz6ct4.fsf@aikidev.net> <877ek364u5.fsf@gnu.org> <87mubmodfb.fsf_-_@gnu.org> <87eewqgc1v.fsf@gnu.org> <87o8vto5rl.fsf@elephly.net> <87a77bzw6p.fsf@yucca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="YPOU9eFKIy6Wf5kE" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:33335) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ilT6P-0002IM-Sy for guix-devel@gnu.org; Sun, 29 Dec 2019 02:35:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ilT6O-0008Om-JH for guix-devel@gnu.org; Sun, 29 Dec 2019 02:35:05 -0500 Content-Disposition: inline In-Reply-To: <87a77bzw6p.fsf@yucca> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Vagrant Cascadian Cc: 22883@debbugs.gnu.org, guix-devel@gnu.org --YPOU9eFKIy6Wf5kE Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Dec 28, 2019 at 06:45:34PM -0800, Vagrant Cascadian wrote: > On 2019-12-27, Ricardo Wurmus wrote: > >> b3011dbbd2 doc: Mention "make authenticate". > >> 787766ed1e git-authenticate: Keep a local cache of previously-authen= ticated commits. > >> 785af04a75 git: 'commit-difference' takes a list of excluded commits. > >> 1e43ab2c03 Add 'build-aux/git-authenticate.scm'. > >> > >> Commit 787766ed1e takes care of caching (one of the limitations I > >> mentioned in my previous message). > >> > >> Commit b3011dbbd2 adds instructions for contributors on how to > >> authenticate a checkout (copied below). It=E2=80=99s a bit bumpy so I= would > >> very much welcome feedback and suggestions on how to improve this! > > > > This is great! >=20 > Yes! Yes! >=20 >=20 > > Thank you for the instructions. I thought I had all keys, but > > apparently at least one of them is missing. =E2=80=9Cmake authenticate= =E2=80=9D fails > > for me with this error: > > > > Throw to key `srfi-34' with args `(#)'. > > > > I previously downloaded the gpg keyring from Savannah: > > > > https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix > > > > Looks like Hartmut used to use a different key, which I don=E2=80=99t h= ave. >=20 > I got this too, and manually worked around it by downloading > guix-keyring.gpg from: >=20 > https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix&do= wnload=3D1 >=20 > And running: >=20 > gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/gui= x.kbx --import ~/guix-keyring.gpg >=20 Thanks for the hint. I started with importing the keyring into my normal keyring but I see now we have another keyring for this specifically. (another being the user default, ~/.config/guix/upstream/trustedkeys.kbx and now this one) > It seems to be working now... how is the keyring *supposed* to be > populated? Before I manually imported guix-keyring.gpg into guix.kbx, > there were a very small number of keys present. >=20 >=20 > It's a little awkward that it uses the fingerprint of the signing key > rather than the primary key, as by default things like "gpg --list-keys" > do not display the fingerprint of signing keys, only the primary key, so > it is an adventure in gpg commandline options to correlate them. >=20 > "gpg log --show-signature" also reports the the primary key fingerprint, > if the key is available in the keyring, and only the subkey fingerprint > for unknown keys if I remember correctly. >=20 > It would be nice if the statistics would display the primary uid > instead, as it is something a little more human readable, and the > primary key fingerprint, as it is a little easier to find. :) >=20 >=20 > I'm hoping the eventual goal is to integrate this into guix pull? >=20 >=20 > Very nice to see progress on this issue! >=20 >=20 > live well, > vagrant --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --YPOU9eFKIy6Wf5kE Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIyBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl4IVwQACgkQQarn3Mo9 g1E5wg/40t6CqJNccMOPJv9mzpW2tMv+NonmzEC9GWEMlTbGO3xJOIGhBnbrMxV0 uTJs5RHIDC0ggCkhlNJB/mgu1sl2VR3U0m9OiyFZew5/qx62FR6biirWv4xnmdb0 PB9ye8b5yTmK6Qt2lFB/PMqwBLdM3qtCipaZD7JVMsEEWufPk4OIRSLdXQbweyZh 3jD0B7VrCTLy8FyRtVCpLnrHZ0zXScGGJ7nRNecOw17oze67VsKVgIkmHKMnl2R8 iO6fktNjnom3lQZ7g/mkcpXnyaem1RNSO5zJf624Qq4QPNbOv5wtRlufP2x4PMxP k0iRrBb0dIEpVByz8RlWyGQ9P4VvAnWs1lfhq70iQa7cEGZrFpWz95PfVeB0IpY7 wWSBvYoWgaPtXcUFAAjShEdGy8bd8S7U6KSFQpewRfkyJ8PymAq8lEvkdp/FjzWA r8LMMuxs7RDsOM3HHQ8RjEOZ+lKuypIxZTW1i8ROdRBqe2U1G+DCLZkdREkwTjGV PCDOcmZn/fyoE80w3iQX/2KPXdFcdRCzlEzktB9sQ0wuBIeTBdIWXpZmpz+qN+r3 nKI//UM0j+wc8ae1NISJzoK8AgrxoFj2fB1sIU7qrH6ETDXPcahOHejpPapmYxbt poJ/5LVzFxscQ5bkMIdCujss6KhP9yOg5NgZRZFDLCcV9mY6DQ== =IW6b -----END PGP SIGNATURE----- --YPOU9eFKIy6Wf5kE--