all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Authenticate a channel
@ 2024-12-26 16:48 Jeremy Korwin-Zmijowski
  2024-12-28 18:01 ` Ludovic Courtès
  0 siblings, 1 reply; 11+ messages in thread
From: Jeremy Korwin-Zmijowski @ 2024-12-26 16:48 UTC (permalink / raw)
  To: help-guix

Dear Guixters,

I have made an authenticated channel at 
https://framagit.org/jeko/guix-jeko-channel

While on the initial commit 60d0b6b2, I was able to `guix pull` with no 
issue.

But two days ago, I pushed a new signed commit (`git log 
--show-signature` can tell).

I haven't change anything with my keys since then. So I was surprised to 
see `guix pull` returning :

    guix pull: erreur : could not authenticate commit
    ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
    FAED  FA70 A2E0 F15D BF8E A5F0 is missing

I don't really need to authenticate my channel as I am the only one 
making changes on it.

This was an experiment to learn. I struggled a lot to set it up.

I am currently running Guix on top of Ubuntu.

I would be grateful for any help or hint.

Cheers, take care.

Jeremy

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Authenticate a channel
  2024-12-26 16:48 Authenticate a channel Jeremy Korwin-Zmijowski
@ 2024-12-28 18:01 ` Ludovic Courtès
  2024-12-29 13:04   ` Marcel van der Boom
  0 siblings, 1 reply; 11+ messages in thread
From: Ludovic Courtès @ 2024-12-28 18:01 UTC (permalink / raw)
  To: Jeremy Korwin-Zmijowski; +Cc: help-guix

Hi Jérémy,

Jeremy Korwin-Zmijowski <jeremy@korwin-zmijowski.fr> skribis:

> I haven't change anything with my keys since then. So I was surprised
> to see `guix pull` returning :
>
>    guix pull: erreur : could not authenticate commit
>    ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
>    FAED  FA70 A2E0 F15D BF8E A5F0 is missing

Presumably this indicate that this key is missing from the ‘keyring’
branch of your channel.  You should export it and add it to that branch.

HTH!

Ludo’.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Authenticate a channel
  2024-12-28 18:01 ` Ludovic Courtès
@ 2024-12-29 13:04   ` Marcel van der Boom
  2024-12-30 18:57     ` Cayetano Santos
  2025-01-10 12:22     ` Tobias Geerinckx-Rice
  0 siblings, 2 replies; 11+ messages in thread
From: Marcel van der Boom @ 2024-12-29 13:04 UTC (permalink / raw)
  To: help-guix

I have issues with this too. On every git pull and guix pull I get 
messages that my key is missing, although I did add it locally to the 
keyring branch.

Is there a procedure documented somewhere on how to make sure the 
signature is present and correct? It feels like I am just missing 
something small here.

Some unknowns for me:
- are subkeys supported? anything special needed?
- it seems there is a file-naming convention on the keyring branch for 
the keys?
- do i need to pull the keyring in manually over time of does the 
machinery take care of this?


On 2024-12-28 19:01, Ludovic Courtès wrote:
> Hi Jérémy,
> 
> Jeremy Korwin-Zmijowski <jeremy@korwin-zmijowski.fr> skribis:
> 
>> I haven't change anything with my keys since then. So I was surprised
>> to see `guix pull` returning :
>>
>>     guix pull: erreur : could not authenticate commit
>>     ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
>>     FAED  FA70 A2E0 F15D BF8E A5F0 is missing
> 
> Presumably this indicate that this key is missing from the ‘keyring’
> branch of your channel.  You should export it and add it to that branch.
> 
> HTH!
> 
> Ludo’.
> 



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Authenticate a channel
  2024-12-29 13:04   ` Marcel van der Boom
@ 2024-12-30 18:57     ` Cayetano Santos
  2025-01-01 12:03       ` Marek Paśnikowski
  2025-01-10 11:22       ` Marcel van der Boom
  2025-01-10 12:22     ` Tobias Geerinckx-Rice
  1 sibling, 2 replies; 11+ messages in thread
From: Cayetano Santos @ 2024-12-30 18:57 UTC (permalink / raw)
  To: Marcel van der Boom; +Cc: help-guix

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]


>dim. 29 déc. 2024 at 14:04, Marcel van der Boom <marcel@hsdev.com> wrote:

> I have issues with this too. On every git pull and guix pull I get messages that my key is
> missing, although I did add it locally to the keyring branch.
>
> Is there a procedure documented somewhere on how to make sure the signature is present and
> correct? It feels like I am just missing something small here.

Most up to date documentation is here,

https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizations.html

> Some unknowns for me:
> - are subkeys supported? anything special needed?
> - it seems there is a file-naming convention on the keyring branch for the keys?
> - do i need to pull the keyring in manually over time of does the machinery take care of
>  this?

Have you checked with other public channels ?

--
Cayetano Santos
GnuPG Key:   https://meta.sr.ht/~csantosb.pgp
FingerPrint: CCB8 1842 F9D7 058E CD67 377A BF5C DF4D F6BF 6682

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Authenticate a channel
  2024-12-30 18:57     ` Cayetano Santos
@ 2025-01-01 12:03       ` Marek Paśnikowski
  2025-01-02  9:07         ` Jeremy Korwin-Zmijowski
  2025-01-10 11:22       ` Marcel van der Boom
  1 sibling, 1 reply; 11+ messages in thread
From: Marek Paśnikowski @ 2025-01-01 12:03 UTC (permalink / raw)
  To: Marcel van der Boom, help-guix, Cayetano Santos

> >dim. 29 déc. 2024 at 14:04, Marcel van der Boom <marcel@hsdev.com> wrote:
> > I have issues with this too. On every git pull and guix pull I get
> > messages that my key is missing, although I did add it locally to the
> > keyring branch.
> > 
> > Is there a procedure documented somewhere on how to make sure the
> > signature is present and correct? It feels like I am just missing
> > something small here.
> 
> Most up to date documentation is here,
> 
> https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizat
> ions.html
> > Some unknowns for me:
> > - are subkeys supported? anything special needed?
> > - it seems there is a file-naming convention on the keyring branch for the
> > keys? - do i need to pull the keyring in manually over time of does the
> > machinery take care of> 
> >  this?
> 
> Have you checked with other public channels ?
> 
> --
> Cayetano Santos
> GnuPG Key:   https://meta.sr.ht/~csantosb.pgp
> FingerPrint: CCB8 1842 F9D7 058E CD67 377A BF5C DF4D F6BF 6682

I looked at Jeko’s channel and noticed one discrepancy from my working setup.

The key file has a wrong name extension.

From documentation:

Additionally, your channel must provide all the OpenPGP keys that were ever 
mentioned in .guix-authorizations, stored as .key files, which can be either 
binary or “ASCII-armored”.

In Jeko’s case, the key is stored in a jeko-A2E0F15D.asc file, which breaks 
the documented assumption. My key is named marekpasnikowski.key , for 
reference.

Hopefully, the name problem is the only problem here.

I also share the opinion that the documentation is written in a confusing 
style, especially for novices.





^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Authenticate a channel
  2025-01-01 12:03       ` Marek Paśnikowski
@ 2025-01-02  9:07         ` Jeremy Korwin-Zmijowski
  0 siblings, 0 replies; 11+ messages in thread
From: Jeremy Korwin-Zmijowski @ 2025-01-02  9:07 UTC (permalink / raw)
  To: help-guix

Hello,

>  From documentation:
>
> Additionally, your channel must provide all the OpenPGP keys that were ever
> mentioned in .guix-authorizations, stored as .key files, which can be either
> binary or “ASCII-armored”.
>
> In Jeko’s case, the key is stored in a jeko-A2E0F15D.asc file, which breaks
> the documented assumption. My key is named marekpasnikowski.key , for
> reference.
>
> Hopefully, the name problem is the only problem here.
>
> I also share the opinion that the documentation is written in a confusing
> style, especially for novices.

Marek pointed me to the right direction.

Renaming the key file with .key extension solved the problem.

Thank you all for the help.

Happy new year, wish you and your loved ones all the best.

Jérémy



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Authenticate a channel
  2024-12-30 18:57     ` Cayetano Santos
  2025-01-01 12:03       ` Marek Paśnikowski
@ 2025-01-10 11:22       ` Marcel van der Boom
  2025-01-11  0:25         ` Tomas Volf
  1 sibling, 1 reply; 11+ messages in thread
From: Marcel van der Boom @ 2025-01-10 11:22 UTC (permalink / raw)
  To: Cayetano Santos; +Cc: help-guix


Not 100% sure, but I think this applies to my situation:

"Pay attention to merges in particular: merge commits are 
considered authentic if and only if they are signed by a key 
present in the .guix-authorizations file of both branches."


My local (channel) repo is just the guix sources with some 
patches, which obviously will lead to merge commits on almost 
every pull.

Is this analysis correct?

If so, how do I change this? My goal is to have a local copy to 
put patches in. This works easier in some cases rather than having 
a manifest.


[Cayetano Santos]:
>>dim. 29 déc. 2024 at 14:04, Marcel van der Boom 
>><marcel@hsdev.com> wrote:

>> I have issues with this too. On every git pull and guix pull I 
>> get messages that my key is
>> missing, although I did add it locally to the keyring branch.
>>
>> Is there a procedure documented somewhere on how to make sure 
>> the signature is present and
>> correct? It feels like I am just missing something small here.

> Most up to date documentation is here,

> https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizations.html

>> Some unknowns for me:
>> - are subkeys supported? anything special needed?
>> - it seems there is a file-naming convention on the keyring 
>> branch for the keys?
>> - do i need to pull the keyring in manually over time of does 
>> the machinery take care of
>>  this?

> Have you checked with other public channels ?



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Authenticate a channel
  2024-12-29 13:04   ` Marcel van der Boom
  2024-12-30 18:57     ` Cayetano Santos
@ 2025-01-10 12:22     ` Tobias Geerinckx-Rice
  2025-01-10 12:51       ` Tobias Geerinckx-Rice
  2025-01-10 13:47       ` Marcel van der Boom
  1 sibling, 2 replies; 11+ messages in thread
From: Tobias Geerinckx-Rice @ 2025-01-10 12:22 UTC (permalink / raw)
  To: help-guix, Marcel van der Boom

H(o)i Marcel,

On 29 December 2024 13:04:59 UTC, Marcel van der Boom <marcel@hsdev.com> wrote:
>- are subkeys supported? anything special needed?

AIR Guix does not (yet?) resolve subkeys to an authorised primary.  This means that each signing subkey used must be explicitly authorised.  If you look at upstream Guix's .guix-authorizations, you'll see a good few ';; Primary: XXXX…' comments above certains keys, including mine.

>- do i need to pull the keyring in manually over time of does the machinery take care of this?

If you mean in a git checkout: you must manually fetch any updates to the keyring branch before rebasing + pushing your changes.  There is no magic.

If you mean 'guix pull', even from a file:// URL: guix clones and updates the entire repository, not only 'master'.  No additional action is needed to fetch the latest upstream keyring.



Kind regards,

T G-R

Sent on the go.  Excuse or enjoy my brevity.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Authenticate a channel
  2025-01-10 12:22     ` Tobias Geerinckx-Rice
@ 2025-01-10 12:51       ` Tobias Geerinckx-Rice
  2025-01-10 13:47       ` Marcel van der Boom
  1 sibling, 0 replies; 11+ messages in thread
From: Tobias Geerinckx-Rice @ 2025-01-10 12:51 UTC (permalink / raw)
  To: help-guix, Marcel van der Boom

>If you mean in a git checkout: you must manually fetch any updates to the keyring branch before rebasing + pushing your changes.

…before pushing your *keyring* changes, I mean, which will be rare.  The server will also simply nope out if you forget, and you can 'git fetch' and 'git rebase' your keyring before retrying.

You needn't obsessively 'git fetch' the keyring branch every time you push any *other* branch.  Sorry if I was unclear.



Kind regards,

T G-R

Sent on the go.  Excuse or enjoy my brevity.


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Authenticate a channel
  2025-01-10 12:22     ` Tobias Geerinckx-Rice
  2025-01-10 12:51       ` Tobias Geerinckx-Rice
@ 2025-01-10 13:47       ` Marcel van der Boom
  1 sibling, 0 replies; 11+ messages in thread
From: Marcel van der Boom @ 2025-01-10 13:47 UTC (permalink / raw)
  To: Tobias Geerinckx-Rice; +Cc: help-guix

[Tobias Geerinckx-Rice]:


> AIR Guix does not (yet?) resolve subkeys to an authorised 
> primary. This means that each signing subkey used must be 
> explicitly authorised. If you look at upstream Guix's 
> .guix-authorizations, you'll see a good few ';; Primary: XXXX…' 
> comments above certains keys, including mine.

Okay, that was actually what I assumed, i.e. explicit subkey 
mentioning. Great, one suspect eliminated. ;-)

thanks.



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Authenticate a channel
  2025-01-10 11:22       ` Marcel van der Boom
@ 2025-01-11  0:25         ` Tomas Volf
  0 siblings, 0 replies; 11+ messages in thread
From: Tomas Volf @ 2025-01-11  0:25 UTC (permalink / raw)
  To: Marcel van der Boom; +Cc: Cayetano Santos, help-guix

[-- Attachment #1: Type: text/plain, Size: 1105 bytes --]

Marcel van der Boom <marcel@hsdev.com> writes:

> Not 100% sure, but I think this applies to my situation:
>
> "Pay attention to merges in particular: merge commits are considered authentic
> if and only if they are signed by a key present in the .guix-authorizations file
> of both branches."
>
>
> My local (channel) repo is just the guix sources with some patches, which
> obviously will lead to merge commits on almost every pull.
>
> Is this analysis correct?
>
> If so, how do I change this? My goal is to have a local copy to put patches
> in. This works easier in some cases rather than having a manifest.

Yes, the analysis is correct and no, currently it is not possible to
have an authenticated Guix fork that periodically merges from Guix
proper.

You *can* get there by patching some files.  ¯\_(ツ)_/¯

You can read more in this[0] message from September of 2023.

Tomas

0: https://lists.gnu.org/archive/html/help-guix/2023-09/msg00078.html

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 853 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2025-01-11  0:25 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-26 16:48 Authenticate a channel Jeremy Korwin-Zmijowski
2024-12-28 18:01 ` Ludovic Courtès
2024-12-29 13:04   ` Marcel van der Boom
2024-12-30 18:57     ` Cayetano Santos
2025-01-01 12:03       ` Marek Paśnikowski
2025-01-02  9:07         ` Jeremy Korwin-Zmijowski
2025-01-10 11:22       ` Marcel van der Boom
2025-01-11  0:25         ` Tomas Volf
2025-01-10 12:22     ` Tobias Geerinckx-Rice
2025-01-10 12:51       ` Tobias Geerinckx-Rice
2025-01-10 13:47       ` Marcel van der Boom

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.