* Losing signing keys for custom Guix channel
@ 2024-03-25 5:41 elaexuotee
2024-03-25 7:49 ` Markku Korkeala
0 siblings, 1 reply; 9+ messages in thread
From: elaexuotee @ 2024-03-25 5:41 UTC (permalink / raw)
To: guix-devel
Hey devs,
So I lost the PGP key that I was using to sign commits on a private Guix
channel of mine. Is there a way to introduce a hard break in my channel
authentication?
Despite updating authorization settings, pulls complain that my latest commit
isn't signed by an authorized key.
Here are the changes I've made:
- New public key added to keyring branch
- Appended new key fingerprint to .guix-authorizations (at commit X)
- Update introduction in .config/guix/channels.scm
- Point to commit X
- Update openpgp-fingerprint
As a sanity check, I've confirmed that the fingerprint on commit X, the
fingerprint in .guix-authorizations, and the openpgp-fingerprint in my
channels.scm are all the same.
What am I missing?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Losing signing keys for custom Guix channel
2024-03-25 5:41 Losing signing keys for custom Guix channel elaexuotee
@ 2024-03-25 7:49 ` Markku Korkeala
2024-03-25 12:31 ` Attila Lendvai
2024-03-28 22:47 ` Ludovic Courtès
0 siblings, 2 replies; 9+ messages in thread
From: Markku Korkeala @ 2024-03-25 7:49 UTC (permalink / raw)
To: elaexuotee; +Cc: guix-devel
On Mon, Mar 25, 2024 at 02:41:26PM +0900, elaexuotee@wilsonb.com wrote:
> Hey devs,
>
> So I lost the PGP key that I was using to sign commits on a private Guix
> channel of mine. Is there a way to introduce a hard break in my channel
> authentication?
>
> Despite updating authorization settings, pulls complain that my latest commit
> isn't signed by an authorized key.
>
> Here are the changes I've made:
> - New public key added to keyring branch
> - Appended new key fingerprint to .guix-authorizations (at commit X)
> - Update introduction in .config/guix/channels.scm
> - Point to commit X
> - Update openpgp-fingerprint
>
> As a sanity check, I've confirmed that the fingerprint on commit X, the
> fingerprint in .guix-authorizations, and the openpgp-fingerprint in my
> channels.scm are all the same.
>
> What am I missing?
Hi all,
from reading about guix authentication I think the new signing key
must be first added to the .guix-authoriations file and that commit
must signed with the current signing keys before the new signing
key can be used.
Best wishes,
Markku
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Losing signing keys for custom Guix channel
2024-03-25 7:49 ` Markku Korkeala
@ 2024-03-25 12:31 ` Attila Lendvai
2024-03-28 22:47 ` Ludovic Courtès
1 sibling, 0 replies; 9+ messages in thread
From: Attila Lendvai @ 2024-03-25 12:31 UTC (permalink / raw)
To: Markku Korkeala; +Cc: elaexuotee, guix-devel
> from reading about guix authentication I think the new signing key
> must be first added to the .guix-authoriations file and that commit
> must signed with the current signing keys before the new signing
> key can be used.
yep. otherwise anyone with access to the origin git repo could override the commit signature based authentication framework.
if you think about it, if there were any options for you to sidestep this situation of a lost key, then any attacker could do the same.
i'm afraid your only option is to re-record and re-sign every commit, force-push them, and publish a new channel intro snippet that all your users must copy into their config.
alternatively, you *may* be able to simply publish a new channel intro snippet (and convince all your users that it's a genuine situation) that will point to the first new commit that is signed with the new key... but i doubt the contract (nor the implementation) of the authentication code would just silently accept the non-authenticated commits that precede your new channel intro commit.
all the best in fixing the situation!
--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“’Tis better it be a year later before he can read, than that he should this way get an aversion to learning.”
— John Locke (1632–1704), 'Some Thoughts Concerning Education'
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Losing signing keys for custom Guix channel
2024-03-25 7:49 ` Markku Korkeala
2024-03-25 12:31 ` Attila Lendvai
@ 2024-03-28 22:47 ` Ludovic Courtès
2024-03-29 3:42 ` elaexuotee
1 sibling, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2024-03-28 22:47 UTC (permalink / raw)
To: Markku Korkeala; +Cc: elaexuotee, guix-devel
Hello,
Markku Korkeala <markku.korkeala@iki.fi> skribis:
> On Mon, Mar 25, 2024 at 02:41:26PM +0900, elaexuotee@wilsonb.com wrote:
[...]
>> Here are the changes I've made:
>> - New public key added to keyring branch
>> - Appended new key fingerprint to .guix-authorizations (at commit X)
>> - Update introduction in .config/guix/channels.scm
>> - Point to commit X
>> - Update openpgp-fingerprint
>>
>> As a sanity check, I've confirmed that the fingerprint on commit X, the
>> fingerprint in .guix-authorizations, and the openpgp-fingerprint in my
>> channels.scm are all the same.
>>
>> What am I missing?
>
> Hi all,
>
> from reading about guix authentication I think the new signing key
> must be first added to the .guix-authoriations file and that commit
> must signed with the current signing keys before the new signing
> key can be used.
Yes, it’s likely the problem; the rest of the description you gave
elaexuotee looks fine to me.
(No need to rewrite the history; changing the introduction is enough.)
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Losing signing keys for custom Guix channel
2024-03-28 22:47 ` Ludovic Courtès
@ 2024-03-29 3:42 ` elaexuotee
2024-03-29 3:55 ` Jake
2024-03-29 9:45 ` Ludovic Courtès
0 siblings, 2 replies; 9+ messages in thread
From: elaexuotee @ 2024-03-29 3:42 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Markku Korkeala, guix-devel
> > from reading about guix authentication I think the new signing key
> > must be first added to the .guix-authoriations file and that commit
> > must signed with the current signing keys before the new signing
> > key can be used.
>
> Yes, it’s likely the problem; the rest of the description you gave
> elaexuotee looks fine to me.
>
> (No need to rewrite the history; changing the introduction is enough.)
>
> Ludo’.
Well, the catch 22 is that I've lost the original key and so can only sign
.guix-authorizations with the new one.
> (No need to rewrite the history; changing the introduction is enough.)
Without the old key, I'm gathering that a history rewrite is the only way right
now. Seems like a fresh channel introduction should be enough, but our current
authorization check appears to look at earlier commits even in that case, IIUC.
Maybe forcing history rewrites on key loss is the desired behavior? I'm not
sure. From a client perspective, the only difference is whether or not you have
to specify --allow-downgrades on the next pull. In either case a channel intro
update is necessary.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Losing signing keys for custom Guix channel
2024-03-29 3:42 ` elaexuotee
@ 2024-03-29 3:55 ` Jake
2024-03-29 5:06 ` elaexuotee
2024-03-29 9:45 ` Ludovic Courtès
1 sibling, 1 reply; 9+ messages in thread
From: Jake @ 2024-03-29 3:55 UTC (permalink / raw)
To: elaexuotee; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1586 bytes --]
If commit i adds a new signing key to the channel’s authorisations file and
commit i+1 is signed with that signing key, then commit i+1 can be used in
channel intro.
You can’t add a signing key to the authorisations in a commit and sign that
same commit with the new key. Is that issue here?
Jake
On Fri, 29 Mar 2024 at 2:13 pm, <elaexuotee@wilsonb.com> wrote:
> > > from reading about guix authentication I think the new signing key
> > > must be first added to the .guix-authoriations file and that commit
> > > must signed with the current signing keys before the new signing
> > > key can be used.
> >
> > Yes, it’s likely the problem; the rest of the description you gave
> > elaexuotee looks fine to me.
> >
> > (No need to rewrite the history; changing the introduction is enough.)
> >
> > Ludo’.
>
> Well, the catch 22 is that I've lost the original key and so can only sign
> .guix-authorizations with the new one.
>
> > (No need to rewrite the history; changing the introduction is enough.)
>
> Without the old key, I'm gathering that a history rewrite is the only way
> right
> now. Seems like a fresh channel introduction should be enough, but our
> current
> authorization check appears to look at earlier commits even in that case,
> IIUC.
>
> Maybe forcing history rewrites on key loss is the desired behavior? I'm not
> sure. From a client perspective, the only difference is whether or not you
> have
> to specify --allow-downgrades on the next pull. In either case a channel
> intro
> update is necessary.
>
>
[-- Attachment #2: Type: text/html, Size: 2049 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Losing signing keys for custom Guix channel
2024-03-29 3:55 ` Jake
@ 2024-03-29 5:06 ` elaexuotee
0 siblings, 0 replies; 9+ messages in thread
From: elaexuotee @ 2024-03-29 5:06 UTC (permalink / raw)
To: Jake; +Cc: guix-devel
Jake <jforst.mailman@gmail.com> wrote:
> If commit i adds a new signing key to the channel’s authorisations file and
> commit i+1 is signed with that signing key, then commit i+1 can be used in
> channel intro.
>
> You can’t add a signing key to the authorisations in a commit and sign that
> same commit with the new key. Is that issue here?
I don't think that's completely accurate. My original channel introduction
commit is precisely the one creating a .guix-authorizations file with my old
key info.
I can certainly add an extra signing key to the authorizations; I just can't
sign that commit with the old key, since the old key has been lost.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Losing signing keys for custom Guix channel
2024-03-29 3:42 ` elaexuotee
2024-03-29 3:55 ` Jake
@ 2024-03-29 9:45 ` Ludovic Courtès
2024-03-29 10:20 ` elaexuotee
1 sibling, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2024-03-29 9:45 UTC (permalink / raw)
To: elaexuotee; +Cc: Markku Korkeala, guix-devel
elaexuotee@wilsonb.com skribis:
> Well, the catch 22 is that I've lost the original key and so can only sign
> .guix-authorizations with the new one.
Ah sorry, I misread the thing I quoted. :-)
So, you have your new key. You add it to ‘.guix-authorizations’ in a
commit signed with that new key. And then, you make this commit the new
introduction of your channel.
Does that make sense?
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Losing signing keys for custom Guix channel
2024-03-29 9:45 ` Ludovic Courtès
@ 2024-03-29 10:20 ` elaexuotee
0 siblings, 0 replies; 9+ messages in thread
From: elaexuotee @ 2024-03-29 10:20 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Markku Korkeala, guix-devel
Ludovic Courtès <ludo@gnu.org> wrote:
> elaexuotee@wilsonb.com skribis:
>
> > Well, the catch 22 is that I've lost the original key and so can only sign
> > .guix-authorizations with the new one.
>
> Ah sorry, I misread the thing I quoted. :-)
>
> So, you have your new key. You add it to ‘.guix-authorizations’ in a
> commit signed with that new key. And then, you make this commit the new
> introduction of your channel.
>
> Does that make sense?
>
> Ludo’.
Makes perfect sense! It's also exactly what I tried and what ends up failing
authorization on guix pull.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-03-30 9:40 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-25 5:41 Losing signing keys for custom Guix channel elaexuotee
2024-03-25 7:49 ` Markku Korkeala
2024-03-25 12:31 ` Attila Lendvai
2024-03-28 22:47 ` Ludovic Courtès
2024-03-29 3:42 ` elaexuotee
2024-03-29 3:55 ` Jake
2024-03-29 5:06 ` elaexuotee
2024-03-29 9:45 ` Ludovic Courtès
2024-03-29 10:20 ` elaexuotee
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.