* Authenticate a channel
@ 2024-12-26 16:48 Jeremy Korwin-Zmijowski
2024-12-28 18:01 ` Ludovic Courtès
0 siblings, 1 reply; 11+ messages in thread
From: Jeremy Korwin-Zmijowski @ 2024-12-26 16:48 UTC (permalink / raw)
To: help-guix
Dear Guixters,
I have made an authenticated channel at
https://framagit.org/jeko/guix-jeko-channel
While on the initial commit 60d0b6b2, I was able to `guix pull` with no
issue.
But two days ago, I pushed a new signed commit (`git log
--show-signature` can tell).
I haven't change anything with my keys since then. So I was surprised to
see `guix pull` returning :
guix pull: erreur : could not authenticate commit
ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
FAED FA70 A2E0 F15D BF8E A5F0 is missing
I don't really need to authenticate my channel as I am the only one
making changes on it.
This was an experiment to learn. I struggled a lot to set it up.
I am currently running Guix on top of Ubuntu.
I would be grateful for any help or hint.
Cheers, take care.
Jeremy
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Authenticate a channel
2024-12-26 16:48 Authenticate a channel Jeremy Korwin-Zmijowski
@ 2024-12-28 18:01 ` Ludovic Courtès
2024-12-29 13:04 ` Marcel van der Boom
0 siblings, 1 reply; 11+ messages in thread
From: Ludovic Courtès @ 2024-12-28 18:01 UTC (permalink / raw)
To: Jeremy Korwin-Zmijowski; +Cc: help-guix
Hi Jérémy,
Jeremy Korwin-Zmijowski <jeremy@korwin-zmijowski.fr> skribis:
> I haven't change anything with my keys since then. So I was surprised
> to see `guix pull` returning :
>
> guix pull: erreur : could not authenticate commit
> ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
> FAED FA70 A2E0 F15D BF8E A5F0 is missing
Presumably this indicate that this key is missing from the ‘keyring’
branch of your channel. You should export it and add it to that branch.
HTH!
Ludo’.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Authenticate a channel
2024-12-28 18:01 ` Ludovic Courtès
@ 2024-12-29 13:04 ` Marcel van der Boom
2024-12-30 18:57 ` Cayetano Santos
2025-01-10 12:22 ` Tobias Geerinckx-Rice
0 siblings, 2 replies; 11+ messages in thread
From: Marcel van der Boom @ 2024-12-29 13:04 UTC (permalink / raw)
To: help-guix
I have issues with this too. On every git pull and guix pull I get
messages that my key is missing, although I did add it locally to the
keyring branch.
Is there a procedure documented somewhere on how to make sure the
signature is present and correct? It feels like I am just missing
something small here.
Some unknowns for me:
- are subkeys supported? anything special needed?
- it seems there is a file-naming convention on the keyring branch for
the keys?
- do i need to pull the keyring in manually over time of does the
machinery take care of this?
On 2024-12-28 19:01, Ludovic Courtès wrote:
> Hi Jérémy,
>
> Jeremy Korwin-Zmijowski <jeremy@korwin-zmijowski.fr> skribis:
>
>> I haven't change anything with my keys since then. So I was surprised
>> to see `guix pull` returning :
>>
>> guix pull: erreur : could not authenticate commit
>> ad4cea635090b30d259dcf1cb690f07c831f6a1e: key EFBB 9626 457A C7F6
>> FAED FA70 A2E0 F15D BF8E A5F0 is missing
>
> Presumably this indicate that this key is missing from the ‘keyring’
> branch of your channel. You should export it and add it to that branch.
>
> HTH!
>
> Ludo’.
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Authenticate a channel
2024-12-29 13:04 ` Marcel van der Boom
@ 2024-12-30 18:57 ` Cayetano Santos
2025-01-01 12:03 ` Marek Paśnikowski
2025-01-10 11:22 ` Marcel van der Boom
2025-01-10 12:22 ` Tobias Geerinckx-Rice
1 sibling, 2 replies; 11+ messages in thread
From: Cayetano Santos @ 2024-12-30 18:57 UTC (permalink / raw)
To: Marcel van der Boom; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 983 bytes --]
>dim. 29 déc. 2024 at 14:04, Marcel van der Boom <marcel@hsdev.com> wrote:
> I have issues with this too. On every git pull and guix pull I get messages that my key is
> missing, although I did add it locally to the keyring branch.
>
> Is there a procedure documented somewhere on how to make sure the signature is present and
> correct? It feels like I am just missing something small here.
Most up to date documentation is here,
https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizations.html
> Some unknowns for me:
> - are subkeys supported? anything special needed?
> - it seems there is a file-naming convention on the keyring branch for the keys?
> - do i need to pull the keyring in manually over time of does the machinery take care of
> this?
Have you checked with other public channels ?
--
Cayetano Santos
GnuPG Key: https://meta.sr.ht/~csantosb.pgp
FingerPrint: CCB8 1842 F9D7 058E CD67 377A BF5C DF4D F6BF 6682
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 259 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Authenticate a channel
2024-12-30 18:57 ` Cayetano Santos
@ 2025-01-01 12:03 ` Marek Paśnikowski
2025-01-02 9:07 ` Jeremy Korwin-Zmijowski
2025-01-10 11:22 ` Marcel van der Boom
1 sibling, 1 reply; 11+ messages in thread
From: Marek Paśnikowski @ 2025-01-01 12:03 UTC (permalink / raw)
To: Marcel van der Boom, help-guix, Cayetano Santos
> >dim. 29 déc. 2024 at 14:04, Marcel van der Boom <marcel@hsdev.com> wrote:
> > I have issues with this too. On every git pull and guix pull I get
> > messages that my key is missing, although I did add it locally to the
> > keyring branch.
> >
> > Is there a procedure documented somewhere on how to make sure the
> > signature is present and correct? It feels like I am just missing
> > something small here.
>
> Most up to date documentation is here,
>
> https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizat
> ions.html
> > Some unknowns for me:
> > - are subkeys supported? anything special needed?
> > - it seems there is a file-naming convention on the keyring branch for the
> > keys? - do i need to pull the keyring in manually over time of does the
> > machinery take care of>
> > this?
>
> Have you checked with other public channels ?
>
> --
> Cayetano Santos
> GnuPG Key: https://meta.sr.ht/~csantosb.pgp
> FingerPrint: CCB8 1842 F9D7 058E CD67 377A BF5C DF4D F6BF 6682
I looked at Jeko’s channel and noticed one discrepancy from my working setup.
The key file has a wrong name extension.
From documentation:
Additionally, your channel must provide all the OpenPGP keys that were ever
mentioned in .guix-authorizations, stored as .key files, which can be either
binary or “ASCII-armored”.
In Jeko’s case, the key is stored in a jeko-A2E0F15D.asc file, which breaks
the documented assumption. My key is named marekpasnikowski.key , for
reference.
Hopefully, the name problem is the only problem here.
I also share the opinion that the documentation is written in a confusing
style, especially for novices.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Authenticate a channel
2025-01-01 12:03 ` Marek Paśnikowski
@ 2025-01-02 9:07 ` Jeremy Korwin-Zmijowski
0 siblings, 0 replies; 11+ messages in thread
From: Jeremy Korwin-Zmijowski @ 2025-01-02 9:07 UTC (permalink / raw)
To: help-guix
Hello,
> From documentation:
>
> Additionally, your channel must provide all the OpenPGP keys that were ever
> mentioned in .guix-authorizations, stored as .key files, which can be either
> binary or “ASCII-armored”.
>
> In Jeko’s case, the key is stored in a jeko-A2E0F15D.asc file, which breaks
> the documented assumption. My key is named marekpasnikowski.key , for
> reference.
>
> Hopefully, the name problem is the only problem here.
>
> I also share the opinion that the documentation is written in a confusing
> style, especially for novices.
Marek pointed me to the right direction.
Renaming the key file with .key extension solved the problem.
Thank you all for the help.
Happy new year, wish you and your loved ones all the best.
Jérémy
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Authenticate a channel
2024-12-30 18:57 ` Cayetano Santos
2025-01-01 12:03 ` Marek Paśnikowski
@ 2025-01-10 11:22 ` Marcel van der Boom
2025-01-11 0:25 ` Tomas Volf
1 sibling, 1 reply; 11+ messages in thread
From: Marcel van der Boom @ 2025-01-10 11:22 UTC (permalink / raw)
To: Cayetano Santos; +Cc: help-guix
Not 100% sure, but I think this applies to my situation:
"Pay attention to merges in particular: merge commits are
considered authentic if and only if they are signed by a key
present in the .guix-authorizations file of both branches."
My local (channel) repo is just the guix sources with some
patches, which obviously will lead to merge commits on almost
every pull.
Is this analysis correct?
If so, how do I change this? My goal is to have a local copy to
put patches in. This works easier in some cases rather than having
a manifest.
[Cayetano Santos]:
>>dim. 29 déc. 2024 at 14:04, Marcel van der Boom
>><marcel@hsdev.com> wrote:
>> I have issues with this too. On every git pull and guix pull I
>> get messages that my key is
>> missing, although I did add it locally to the keyring branch.
>>
>> Is there a procedure documented somewhere on how to make sure
>> the signature is present and
>> correct? It feels like I am just missing something small here.
> Most up to date documentation is here,
> https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizations.html
>> Some unknowns for me:
>> - are subkeys supported? anything special needed?
>> - it seems there is a file-naming convention on the keyring
>> branch for the keys?
>> - do i need to pull the keyring in manually over time of does
>> the machinery take care of
>> this?
> Have you checked with other public channels ?
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Authenticate a channel
2025-01-10 11:22 ` Marcel van der Boom
@ 2025-01-11 0:25 ` Tomas Volf
0 siblings, 0 replies; 11+ messages in thread
From: Tomas Volf @ 2025-01-11 0:25 UTC (permalink / raw)
To: Marcel van der Boom; +Cc: Cayetano Santos, help-guix
[-- Attachment #1: Type: text/plain, Size: 1105 bytes --]
Marcel van der Boom <marcel@hsdev.com> writes:
> Not 100% sure, but I think this applies to my situation:
>
> "Pay attention to merges in particular: merge commits are considered authentic
> if and only if they are signed by a key present in the .guix-authorizations file
> of both branches."
>
>
> My local (channel) repo is just the guix sources with some patches, which
> obviously will lead to merge commits on almost every pull.
>
> Is this analysis correct?
>
> If so, how do I change this? My goal is to have a local copy to put patches
> in. This works easier in some cases rather than having a manifest.
Yes, the analysis is correct and no, currently it is not possible to
have an authenticated Guix fork that periodically merges from Guix
proper.
You *can* get there by patching some files. ¯\_(ツ)_/¯
You can read more in this[0] message from September of 2023.
Tomas
0: https://lists.gnu.org/archive/html/help-guix/2023-09/msg00078.html
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 853 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Authenticate a channel
2024-12-29 13:04 ` Marcel van der Boom
2024-12-30 18:57 ` Cayetano Santos
@ 2025-01-10 12:22 ` Tobias Geerinckx-Rice
2025-01-10 12:51 ` Tobias Geerinckx-Rice
2025-01-10 13:47 ` Marcel van der Boom
1 sibling, 2 replies; 11+ messages in thread
From: Tobias Geerinckx-Rice @ 2025-01-10 12:22 UTC (permalink / raw)
To: help-guix, Marcel van der Boom
H(o)i Marcel,
On 29 December 2024 13:04:59 UTC, Marcel van der Boom <marcel@hsdev.com> wrote:
>- are subkeys supported? anything special needed?
AIR Guix does not (yet?) resolve subkeys to an authorised primary. This means that each signing subkey used must be explicitly authorised. If you look at upstream Guix's .guix-authorizations, you'll see a good few ';; Primary: XXXX…' comments above certains keys, including mine.
>- do i need to pull the keyring in manually over time of does the machinery take care of this?
If you mean in a git checkout: you must manually fetch any updates to the keyring branch before rebasing + pushing your changes. There is no magic.
If you mean 'guix pull', even from a file:// URL: guix clones and updates the entire repository, not only 'master'. No additional action is needed to fetch the latest upstream keyring.
Kind regards,
T G-R
Sent on the go. Excuse or enjoy my brevity.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Authenticate a channel
2025-01-10 12:22 ` Tobias Geerinckx-Rice
@ 2025-01-10 12:51 ` Tobias Geerinckx-Rice
2025-01-10 13:47 ` Marcel van der Boom
1 sibling, 0 replies; 11+ messages in thread
From: Tobias Geerinckx-Rice @ 2025-01-10 12:51 UTC (permalink / raw)
To: help-guix, Marcel van der Boom
>If you mean in a git checkout: you must manually fetch any updates to the keyring branch before rebasing + pushing your changes.
…before pushing your *keyring* changes, I mean, which will be rare. The server will also simply nope out if you forget, and you can 'git fetch' and 'git rebase' your keyring before retrying.
You needn't obsessively 'git fetch' the keyring branch every time you push any *other* branch. Sorry if I was unclear.
Kind regards,
T G-R
Sent on the go. Excuse or enjoy my brevity.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Authenticate a channel
2025-01-10 12:22 ` Tobias Geerinckx-Rice
2025-01-10 12:51 ` Tobias Geerinckx-Rice
@ 2025-01-10 13:47 ` Marcel van der Boom
1 sibling, 0 replies; 11+ messages in thread
From: Marcel van der Boom @ 2025-01-10 13:47 UTC (permalink / raw)
To: Tobias Geerinckx-Rice; +Cc: help-guix
[Tobias Geerinckx-Rice]:
> AIR Guix does not (yet?) resolve subkeys to an authorised
> primary. This means that each signing subkey used must be
> explicitly authorised. If you look at upstream Guix's
> .guix-authorizations, you'll see a good few ';; Primary: XXXX…'
> comments above certains keys, including mine.
Okay, that was actually what I assumed, i.e. explicit subkey
mentioning. Great, one suspect eliminated. ;-)
thanks.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2025-01-11 0:25 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-26 16:48 Authenticate a channel Jeremy Korwin-Zmijowski
2024-12-28 18:01 ` Ludovic Courtès
2024-12-29 13:04 ` Marcel van der Boom
2024-12-30 18:57 ` Cayetano Santos
2025-01-01 12:03 ` Marek Paśnikowski
2025-01-02 9:07 ` Jeremy Korwin-Zmijowski
2025-01-10 11:22 ` Marcel van der Boom
2025-01-11 0:25 ` Tomas Volf
2025-01-10 12:22 ` Tobias Geerinckx-Rice
2025-01-10 12:51 ` Tobias Geerinckx-Rice
2025-01-10 13:47 ` Marcel van der Boom
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.