From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vagrant Cascadian Subject: Re: bug#22883: Authenticating Git checkouts: step #1 Date: Sat, 28 Dec 2019 18:45:34 -0800 Message-ID: <87a77bzw6p.fsf@yucca> References: <87io14sqoa.fsf@dustycloud.org> <87tvnemfjh.fsf@aikidev.net> <871sab7ull.fsf@gnu.org> <87zhwz6ct4.fsf@aikidev.net> <877ek364u5.fsf@gnu.org> <87mubmodfb.fsf_-_@gnu.org> <87eewqgc1v.fsf@gnu.org> <87o8vto5rl.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:38591) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ilOaR-0004yM-3u for guix-devel@gnu.org; Sat, 28 Dec 2019 21:45:48 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ilOaP-0008SH-So for guix-devel@gnu.org; Sat, 28 Dec 2019 21:45:47 -0500 In-Reply-To: <87o8vto5rl.fsf@elephly.net> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus , Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: 22883@debbugs.gnu.org, guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2019-12-27, Ricardo Wurmus wrote: >> b3011dbbd2 doc: Mention "make authenticate". >> 787766ed1e git-authenticate: Keep a local cache of previously-authenti= cated commits. >> 785af04a75 git: 'commit-difference' takes a list of excluded commits. >> 1e43ab2c03 Add 'build-aux/git-authenticate.scm'. >> >> Commit 787766ed1e takes care of caching (one of the limitations I >> mentioned in my previous message). >> >> Commit b3011dbbd2 adds instructions for contributors on how to >> authenticate a checkout (copied below). It=E2=80=99s a bit bumpy so I w= ould >> very much welcome feedback and suggestions on how to improve this! > > This is great! Yes! Yes! > Thank you for the instructions. I thought I had all keys, but > apparently at least one of them is missing. =E2=80=9Cmake authenticate= =E2=80=9D fails > for me with this error: > > Throw to key `srfi-34' with args `(#)'. > > I previously downloaded the gpg keyring from Savannah: > > https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix > > Looks like Hartmut used to use a different key, which I don=E2=80=99t hav= e. I got this too, and manually worked around it by downloading guix-keyring.gpg from: https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix&down= load=3D1 And running: gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/guix.= kbx --import ~/guix-keyring.gpg It seems to be working now... how is the keyring *supposed* to be populated? Before I manually imported guix-keyring.gpg into guix.kbx, there were a very small number of keys present. It's a little awkward that it uses the fingerprint of the signing key rather than the primary key, as by default things like "gpg --list-keys" do not display the fingerprint of signing keys, only the primary key, so it is an adventure in gpg commandline options to correlate them. "gpg log --show-signature" also reports the the primary key fingerprint, if the key is available in the keyring, and only the subkey fingerprint for unknown keys if I remember correctly. It would be nice if the statistics would display the primary uid instead, as it is something a little more human readable, and the primary key fingerprint, as it is a little easier to find. :) I'm hoping the eventual goal is to integrate this into guix pull? Very nice to see progress on this issue! live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCXggTTgAKCRDcUY/If5cW qrIgAQCYAiX3kvfC2ArneJQIxY9cVyHAj37e09R2Tj7kCG6HngEApLr9wyBNN7ov 03cuGuSfLjJgYM9vkRSuoD8qIYqeVwo= =/KWb -----END PGP SIGNATURE----- --=-=-=--