From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id WEbaLkiz3l6xZwAA0tVLHw
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 08 Jun 2020 21:53:12 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id MDgdKkiz3l6PDgAAbx9fmQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 08 Jun 2020 21:53:12 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 189B4940145
	for <larch@yhetil.org>; Mon,  8 Jun 2020 21:53:12 +0000 (UTC)
Received: from localhost ([::1]:44440 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1jiPhd-0004Kc-IS
	for larch@yhetil.org; Mon, 08 Jun 2020 17:53:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:50190)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jiPhW-0004KU-Kr
 for guix-patches@gnu.org; Mon, 08 Jun 2020 17:53:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:46530)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jiPhW-0007w0-At
 for guix-patches@gnu.org; Mon, 08 Jun 2020 17:53:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jiPhW-0006Qz-6D; Mon, 08 Jun 2020 17:53:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#41767] [PATCH 0/9] Authenticate channels
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: 22883@debbugs.gnu.org, guix-patches@gnu.org
Resent-Date: Mon, 08 Jun 2020 21:53:02 +0000
Resent-Message-ID: <handler.41767.B.159165315924699@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 41767
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 41767@debbugs.gnu.org
Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>, 22883@debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
X-Debbugs-Original-Xcc: 22883@debbugs.gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.159165315924699
 (code B ref -1); Mon, 08 Jun 2020 21:53:02 +0000
Received: (at submit) by debbugs.gnu.org; 8 Jun 2020 21:52:39 +0000
Received: from localhost ([127.0.0.1]:58076 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1jiPh8-0006QJ-T6
 for submit@debbugs.gnu.org; Mon, 08 Jun 2020 17:52:39 -0400
Received: from lists.gnu.org ([209.51.188.17]:46760)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1jiPh7-0006QC-JW
 for submit@debbugs.gnu.org; Mon, 08 Jun 2020 17:52:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:50140)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1jiPh7-0004Jb-8y
 for guix-patches@gnu.org; Mon, 08 Jun 2020 17:52:37 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:57626)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1jiPh6-0007uQ-9X; Mon, 08 Jun 2020 17:52:36 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56810 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 (envelope-from <ludo@gnu.org>)
 id 1jiPh5-0007Iq-Ts; Mon, 08 Jun 2020 17:52:36 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Date: Mon,  8 Jun 2020 23:52:24 +0200
Message-Id: <20200608215224.2672-1-ludo@gnu.org>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-Spam-Score: -3.3 (---)
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Spam-Score: -0.01
X-TUID: TTmmf3wzW/EX

Hi Guix!

This patch series does it!  It integrates checkout authentication
with (guix channels).  Now, ‘guix pull’, ‘guix time-machine’ etc.
automatically authenticate the commits they fetch and raise an
error if they find an unsigned commit or a commit signed by an
unauthorized party¹.

Channel introductions² are implemented but not exposed.  Thus,
third-party channels cannot use the authentication mechanism yet.
Conversely, the ‘guix’ channel is authenticated by default.

Any commit in the closure of the introduction’s first commit
is considered authentic (for instance, the commit pointed to
by ‘v0.5’ is considered authentic, even though it’s not even
signed.)  Conversely, any commit that does _not_ contain the
introduction’s first commit in its closure is considered
inauthentic.

The patch marked “DROP?” implements “prehistorical authorizations”,
i.e., authorizations for when ‘.guix-authorizations’ didn’t exist
(“make authenticate” does that as well).

Without that patch, we take 87a40d7203a813921b3ef0805c2b46c0026d6c31
(May 5th) as the introduction’s first commit.

In concrete terms, what the patch marked as “DROP?” would buy
us is the ability to merge branches created between ‘v1.0.0’ and
87a40….  I think it’s not that useful, so I’m willing to drop it.
(We can always take it later if we want to.)

There’s a ‘--disable-authentication’ escape hatch for ‘guix pull’,
but not for ‘guix time-machine’ (we’d need to make sure we don’t
cache an inferior that was not authenticated.)

I would much welcome feedback!  I’m happy to answer questions if
anything’s unclear.  Don’t hesitate, because after that it’ll be
harder to change!

Ludo’.

¹ https://issues.guix.gnu.org/issue/22883#64
² https://issues.guix.gnu.org/issue/22883#69

Ludovic Courtès (9):
  git-authenticate: Cache takes a key parameter.
  git-authenticate: 'authenticate-commits' takes a #:keyring parameter.
  tests: Move OpenPGP helpers to (guix tests gnupg).
  channels: 'latest-channel-instance' authenticates Git checkouts.
  channels: Make 'validate-pull' call right after clone/pull.
  .guix-channel: Add 'keyring-reference'.
  channels: Automatically add introduction for the official 'guix'
    channel.
  pull: Add '--disable-authentication'.
  DROP? channels: Add prehistorical authorizations to
    <channel-introduction>.

 .dir-locals.el                 |   1 +
 .guix-channel                  |   3 +-
 build-aux/git-authenticate.scm | 246 +------------------
 doc/guix.texi                  |  20 +-
 guix/channels.scm              | 437 +++++++++++++++++++++++++++++++--
 guix/git-authenticate.scm      |  32 +--
 guix/scripts/pull.scm          |  24 +-
 guix/tests/gnupg.scm           |  32 ++-
 tests/channels.scm             | 128 +++++++++-
 tests/git-authenticate.scm     |  25 --
 10 files changed, 634 insertions(+), 314 deletions(-)

-- 
2.26.2