Authenticate a channel

Authenticate a channel

[Jeremy Korwin-Zmijowski]

Dear Guixters,

I have made an authenticated channel at 
https://framagit.org/jeko/guix-jeko-channel

While on the initial commit 60d0b6b2, I was able to `guix pull` with no 
issue.

But two days ago, I pushed a new signed commit (`git log 
--show-signature` can tell).

I haven't change anything with my keys since then. So I was surprised to 
see `guix pull` returning :

    guix pull: erreur : could not authenticate commit
    ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
    FAED  FA70 A2E0 F15D BF8E A5F0 is missing

I don't really need to authenticate my channel as I am the only one 
making changes on it.

This was an experiment to learn. I struggled a lot to set it up.

I am currently running Guix on top of Ubuntu.

I would be grateful for any help or hint.

Cheers, take care.

Jeremy

Re: Authenticate a channel

[Ludovic Courtès]

Hi Jérémy,

Jeremy Korwin-Zmijowski <jeremy@korwin-zmijowski.fr> skribis:

> I haven't change anything with my keys since then. So I was surprised
> to see `guix pull` returning :
>
>    guix pull: erreur : could not authenticate commit
>    ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
>    FAED  FA70 A2E0 F15D BF8E A5F0 is missing

Presumably this indicate that this key is missing from the ‘keyring’
branch of your channel.  You should export it and add it to that branch.

HTH!

Ludo’.

Re: Authenticate a channel

[Marcel van der Boom]

I have issues with this too. On every git pull and guix pull I get 
messages that my key is missing, although I did add it locally to the 
keyring branch.

Is there a procedure documented somewhere on how to make sure the 
signature is present and correct? It feels like I am just missing 
something small here.

Some unknowns for me:
- are subkeys supported? anything special needed?
- it seems there is a file-naming convention on the keyring branch for 
the keys?
- do i need to pull the keyring in manually over time of does the 
machinery take care of this?


On 2024-12-28 19:01, Ludovic Courtès wrote:
> Hi Jérémy,
> 
> Jeremy Korwin-Zmijowski <jeremy@korwin-zmijowski.fr> skribis:
> 
>> I haven't change anything with my keys since then. So I was surprised
>> to see `guix pull` returning :
>>
>>     guix pull: erreur : could not authenticate commit
>>     ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
>>     FAED  FA70 A2E0 F15D BF8E A5F0 is missing
> 
> Presumably this indicate that this key is missing from the ‘keyring’
> branch of your channel.  You should export it and add it to that branch.
> 
> HTH!
> 
> Ludo’.
> 

Re: Authenticate a channel

[Cayetano Santos]

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]


>dim. 29 déc. 2024 at 14:04, Marcel van der Boom <marcel@hsdev.com> wrote:

> I have issues with this too. On every git pull and guix pull I get messages that my key is
> missing, although I did add it locally to the keyring branch.
>
> Is there a procedure documented somewhere on how to make sure the signature is present and
> correct? It feels like I am just missing something small here.

Most up to date documentation is here,

https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizations.html

> Some unknowns for me:
> - are subkeys supported? anything special needed?
> - it seems there is a file-naming convention on the keyring branch for the keys?
> - do i need to pull the keyring in manually over time of does the machinery take care of
>  this?

Have you checked with other public channels ?

--
Cayetano Santos
GnuPG Key:   https://meta.sr.ht/~csantosb.pgp
FingerPrint: CCB8 1842 F9D7 058E CD67 377A BF5C DF4D F6BF 6682

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

Re: Authenticate a channel

[Marek Paśnikowski]

> >dim. 29 déc. 2024 at 14:04, Marcel van der Boom <marcel@hsdev.com> wrote:
> > I have issues with this too. On every git pull and guix pull I get
> > messages that my key is missing, although I did add it locally to the
> > keyring branch.
> > 
> > Is there a procedure documented somewhere on how to make sure the
> > signature is present and correct? It feels like I am just missing
> > something small here.
> 
> Most up to date documentation is here,
> 
> https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizat
> ions.html
> > Some unknowns for me:
> > - are subkeys supported? anything special needed?
> > - it seems there is a file-naming convention on the keyring branch for the
> > keys? - do i need to pull the keyring in manually over time of does the
> > machinery take care of> 
> >  this?
> 
> Have you checked with other public channels ?
> 
> --
> Cayetano Santos
> GnuPG Key:   https://meta.sr.ht/~csantosb.pgp
> FingerPrint: CCB8 1842 F9D7 058E CD67 377A BF5C DF4D F6BF 6682

I looked at Jeko’s channel and noticed one discrepancy from my working setup.

The key file has a wrong name extension.

From documentation:

Additionally, your channel must provide all the OpenPGP keys that were ever 
mentioned in .guix-authorizations, stored as .key files, which can be either 
binary or “ASCII-armored”.

In Jeko’s case, the key is stored in a jeko-A2E0F15D.asc file, which breaks 
the documented assumption. My key is named marekpasnikowski.key , for 
reference.

Hopefully, the name problem is the only problem here.

I also share the opinion that the documentation is written in a confusing 
style, especially for novices.

Re: Authenticate a channel

[Jeremy Korwin-Zmijowski]

Hello,

>  From documentation:
>
> Additionally, your channel must provide all the OpenPGP keys that were ever
> mentioned in .guix-authorizations, stored as .key files, which can be either
> binary or “ASCII-armored”.
>
> In Jeko’s case, the key is stored in a jeko-A2E0F15D.asc file, which breaks
> the documented assumption. My key is named marekpasnikowski.key , for
> reference.
>
> Hopefully, the name problem is the only problem here.
>
> I also share the opinion that the documentation is written in a confusing
> style, especially for novices.

Marek pointed me to the right direction.

Renaming the key file with .key extension solved the problem.

Thank you all for the help.

Happy new year, wish you and your loved ones all the best.

Jérémy