Authenticate a channel

Authenticate a channel

[Jeremy Korwin-Zmijowski]

Dear Guixters,

I have made an authenticated channel at 
https://framagit.org/jeko/guix-jeko-channel

While on the initial commit 60d0b6b2, I was able to `guix pull` with no 
issue.

But two days ago, I pushed a new signed commit (`git log 
--show-signature` can tell).

I haven't change anything with my keys since then. So I was surprised to 
see `guix pull` returning :

    guix pull: erreur : could not authenticate commit
    ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
    FAED  FA70 A2E0 F15D BF8E A5F0 is missing

I don't really need to authenticate my channel as I am the only one 
making changes on it.

This was an experiment to learn. I struggled a lot to set it up.

I am currently running Guix on top of Ubuntu.

I would be grateful for any help or hint.

Cheers, take care.

Jeremy

Re: Authenticate a channel

[Ludovic Courtès]

Hi Jérémy,

Jeremy Korwin-Zmijowski <jeremy@korwin-zmijowski.fr> skribis:

> I haven't change anything with my keys since then. So I was surprised
> to see `guix pull` returning :
>
>    guix pull: erreur : could not authenticate commit
>    ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
>    FAED  FA70 A2E0 F15D BF8E A5F0 is missing

Presumably this indicate that this key is missing from the ‘keyring’
branch of your channel.  You should export it and add it to that branch.

HTH!

Ludo’.

Re: Authenticate a channel

[Marcel van der Boom]

I have issues with this too. On every git pull and guix pull I get 
messages that my key is missing, although I did add it locally to the 
keyring branch.

Is there a procedure documented somewhere on how to make sure the 
signature is present and correct? It feels like I am just missing 
something small here.

Some unknowns for me:
- are subkeys supported? anything special needed?
- it seems there is a file-naming convention on the keyring branch for 
the keys?
- do i need to pull the keyring in manually over time of does the 
machinery take care of this?


On 2024-12-28 19:01, Ludovic Courtès wrote:
> Hi Jérémy,
> 
> Jeremy Korwin-Zmijowski <jeremy@korwin-zmijowski.fr> skribis:
> 
>> I haven't change anything with my keys since then. So I was surprised
>> to see `guix pull` returning :
>>
>>     guix pull: erreur : could not authenticate commit
>>     ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
>>     FAED  FA70 A2E0 F15D BF8E A5F0 is missing
> 
> Presumably this indicate that this key is missing from the ‘keyring’
> branch of your channel.  You should export it and add it to that branch.
> 
> HTH!
> 
> Ludo’.
> 

Re: Authenticate a channel

[Cayetano Santos]

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]


>dim. 29 déc. 2024 at 14:04, Marcel van der Boom <marcel@hsdev.com> wrote:

> I have issues with this too. On every git pull and guix pull I get messages that my key is
> missing, although I did add it locally to the keyring branch.
>
> Is there a procedure documented somewhere on how to make sure the signature is present and
> correct? It feels like I am just missing something small here.

Most up to date documentation is here,

https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizations.html

> Some unknowns for me:
> - are subkeys supported? anything special needed?
> - it seems there is a file-naming convention on the keyring branch for the keys?
> - do i need to pull the keyring in manually over time of does the machinery take care of
>  this?

Have you checked with other public channels ?

--
Cayetano Santos
GnuPG Key:   https://meta.sr.ht/~csantosb.pgp
FingerPrint: CCB8 1842 F9D7 058E CD67 377A BF5C DF4D F6BF 6682

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 259 bytes --]

Re: Authenticate a channel

[Marek Paśnikowski]

> >dim. 29 déc. 2024 at 14:04, Marcel van der Boom <marcel@hsdev.com> wrote:
> > I have issues with this too. On every git pull and guix pull I get
> > messages that my key is missing, although I did add it locally to the
> > keyring branch.
> > 
> > Is there a procedure documented somewhere on how to make sure the
> > signature is present and correct? It feels like I am just missing
> > something small here.
> 
> Most up to date documentation is here,
> 
> https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizat
> ions.html
> > Some unknowns for me:
> > - are subkeys supported? anything special needed?
> > - it seems there is a file-naming convention on the keyring branch for the
> > keys? - do i need to pull the keyring in manually over time of does the
> > machinery take care of> 
> >  this?
> 
> Have you checked with other public channels ?
> 
> --
> Cayetano Santos
> GnuPG Key:   https://meta.sr.ht/~csantosb.pgp
> FingerPrint: CCB8 1842 F9D7 058E CD67 377A BF5C DF4D F6BF 6682

I looked at Jeko’s channel and noticed one discrepancy from my working setup.

The key file has a wrong name extension.

From documentation:

Additionally, your channel must provide all the OpenPGP keys that were ever 
mentioned in .guix-authorizations, stored as .key files, which can be either 
binary or “ASCII-armored”.

In Jeko’s case, the key is stored in a jeko-A2E0F15D.asc file, which breaks 
the documented assumption. My key is named marekpasnikowski.key , for 
reference.

Hopefully, the name problem is the only problem here.

I also share the opinion that the documentation is written in a confusing 
style, especially for novices.

Re: Authenticate a channel

[Jeremy Korwin-Zmijowski]

Hello,

>  From documentation:
>
> Additionally, your channel must provide all the OpenPGP keys that were ever
> mentioned in .guix-authorizations, stored as .key files, which can be either
> binary or “ASCII-armored”.
>
> In Jeko’s case, the key is stored in a jeko-A2E0F15D.asc file, which breaks
> the documented assumption. My key is named marekpasnikowski.key , for
> reference.
>
> Hopefully, the name problem is the only problem here.
>
> I also share the opinion that the documentation is written in a confusing
> style, especially for novices.

Marek pointed me to the right direction.

Renaming the key file with .key extension solved the problem.

Thank you all for the help.

Happy new year, wish you and your loved ones all the best.

Jérémy

Re: Authenticate a channel

[Marcel van der Boom]

Not 100% sure, but I think this applies to my situation:

"Pay attention to merges in particular: merge commits are 
considered authentic if and only if they are signed by a key 
present in the .guix-authorizations file of both branches."


My local (channel) repo is just the guix sources with some 
patches, which obviously will lead to merge commits on almost 
every pull.

Is this analysis correct?

If so, how do I change this? My goal is to have a local copy to 
put patches in. This works easier in some cases rather than having 
a manifest.


[Cayetano Santos]:
>>dim. 29 déc. 2024 at 14:04, Marcel van der Boom 
>><marcel@hsdev.com> wrote:

>> I have issues with this too. On every git pull and guix pull I 
>> get messages that my key is
>> missing, although I did add it locally to the keyring branch.
>>
>> Is there a procedure documented somewhere on how to make sure 
>> the signature is present and
>> correct? It feels like I am just missing something small here.

> Most up to date documentation is here,

> https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizations.html

>> Some unknowns for me:
>> - are subkeys supported? anything special needed?
>> - it seems there is a file-naming convention on the keyring 
>> branch for the keys?
>> - do i need to pull the keyring in manually over time of does 
>> the machinery take care of
>>  this?

> Have you checked with other public channels ?

Re: Authenticate a channel

[Tobias Geerinckx-Rice]

H(o)i Marcel,

On 29 December 2024 13:04:59 UTC, Marcel van der Boom <marcel@hsdev.com> wrote:
>- are subkeys supported? anything special needed?

AIR Guix does not (yet?) resolve subkeys to an authorised primary.  This means that each signing subkey used must be explicitly authorised.  If you look at upstream Guix's .guix-authorizations, you'll see a good few ';; Primary: XXXX…' comments above certains keys, including mine.

>- do i need to pull the keyring in manually over time of does the machinery take care of this?

If you mean in a git checkout: you must manually fetch any updates to the keyring branch before rebasing + pushing your changes.  There is no magic.

If you mean 'guix pull', even from a file:// URL: guix clones and updates the entire repository, not only 'master'.  No additional action is needed to fetch the latest upstream keyring.



Kind regards,

T G-R

Sent on the go.  Excuse or enjoy my brevity.

Re: Authenticate a channel

[Tobias Geerinckx-Rice]

>If you mean in a git checkout: you must manually fetch any updates to the keyring branch before rebasing + pushing your changes.

…before pushing your *keyring* changes, I mean, which will be rare.  The server will also simply nope out if you forget, and you can 'git fetch' and 'git rebase' your keyring before retrying.

You needn't obsessively 'git fetch' the keyring branch every time you push any *other* branch.  Sorry if I was unclear.



Kind regards,

T G-R

Sent on the go.  Excuse or enjoy my brevity.

Re: Authenticate a channel

[Marcel van der Boom]

[Tobias Geerinckx-Rice]:


> AIR Guix does not (yet?) resolve subkeys to an authorised 
> primary. This means that each signing subkey used must be 
> explicitly authorised. If you look at upstream Guix's 
> .guix-authorizations, you'll see a good few ';; Primary: XXXX…' 
> comments above certains keys, including mine.

Okay, that was actually what I assumed, i.e. explicit subkey 
mentioning. Great, one suspect eliminated. ;-)

thanks.