From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#22883: Authenticating a Git checkout Date: Tue, 24 Oct 2017 16:30:02 -0700 Message-ID: <87bmkwm8ed.fsf@gnu.org> References: <87io14sqoa.fsf@dustycloud.org> <87h9ep8gxk.fsf@gnu.org> <20160426001359.GA23088@jasmine> <874majg0z8.fsf@gnu.org> <87bn3iz1xc.fsf_-_@gnu.org> <87wpket748.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53558) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e78f3-0006ES-DB for bug-guix@gnu.org; Tue, 24 Oct 2017 19:31:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e78f0-0000tW-9z for bug-guix@gnu.org; Tue, 24 Oct 2017 19:31:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:51725) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1e78f0-0000tG-5p for bug-guix@gnu.org; Tue, 24 Oct 2017 19:31:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87wpket748.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Fri, 22 Jul 2016 10:22:15 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 22883@debbugs.gnu.org Hello, Just a note for later=E2=80=A6 ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > With the quick-hack libgit2 bindings attached, I can run this program, > which authenticates HEAD: [...] > So I think we can go from here. Our repo would contain a Scheme list of > authorized OpenPGP fingerprints, and we=E2=80=99d check whether the finge= rprint > that shows up in =E2=80=98valid-signature=E2=80=99 above is among them Storing the list of authorized keys in a file in the repo is inconvenient: simply to retrieve it, you=E2=80=99d need to make a checkout.= So for each commit we verify, we have to check out the whole repo, which is inefficient. While reading , I realized we could store in empty Git commit messages, which would address the above problem (we could use a custom object type too, but that would be less convenient.) So the special commit could look like: Authorization (commit-authorizations (authorization-commit (KEY1 KEY2 =E2=80=A6)) (files ("hydra.gnu.org.pub") (KEY1 KEY2 =E2=80=A6)) (files _ (KEY1 KEY2 =E2=80=A6))) ;all other files That way, to authenticate a commit, we first fetch the latest authorization commit, read the authorization rules from there, and make sure that the changes it makes match the rules. Thoughts? Ludo=E2=80=99.