From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id iEQ6MEj9xGN1GgEAbAwnHQ (envelope-from ) for ; Mon, 16 Jan 2023 08:31:20 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id uCo9MEj9xGNIaQEA9RJhRA (envelope-from ) for ; Mon, 16 Jan 2023 08:31:20 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 842AB3CD22 for ; Mon, 16 Jan 2023 08:31:20 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pHJxR-0006WC-5A; Mon, 16 Jan 2023 02:31:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pHJxO-0006W1-V9 for bug-guix@gnu.org; Mon, 16 Jan 2023 02:31:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pHJxO-0005xM-MT for bug-guix@gnu.org; Mon, 16 Jan 2023 02:31:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pHJxO-0004mt-AX for bug-guix@gnu.org; Mon, 16 Jan 2023 02:31:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#60852: git-authenticate edge case for certain key setup. Resent-From: Hilton Chain Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 16 Jan 2023 07:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 60852 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 60852@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.167385421618337 (code B ref -1); Mon, 16 Jan 2023 07:31:02 +0000 Received: (at submit) by debbugs.gnu.org; 16 Jan 2023 07:30:16 +0000 Received: from localhost ([127.0.0.1]:60275 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHJwd-0004lg-O6 for submit@debbugs.gnu.org; Mon, 16 Jan 2023 02:30:16 -0500 Received: from lists.gnu.org ([209.51.188.17]:49506) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pHJwb-0004lX-F9 for submit@debbugs.gnu.org; Mon, 16 Jan 2023 02:30:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pHJwb-0006Mq-1T for bug-guix@gnu.org; Mon, 16 Jan 2023 02:30:13 -0500 Received: from mail.boiledscript.com ([144.168.59.46]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pHJwZ-0005cW-CJ for bug-guix@gnu.org; Mon, 16 Jan 2023 02:30:12 -0500 Date: Mon, 16 Jan 2023 15:29:40 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space; s=dkim; t=1673854207; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QYt8yw2vhTllUC213VEnWzm2kJth3oGHU0Lf3Sq42NU=; b=ciXzNByLUbQsnm5aj00Ql1QKCL/d7k1VpryvZ0kXZgYCyXmRLugt38TlbXMNYvI86pJUvg GoyfPQUgR9RRPEEw/12mK9SwLyip/aofZWc6drEmuEaYq93MEz9+Y9N1XiOZwLuId4/MkC MDdOplV+j4M5rP/gHx4OTDjkeUgQ4RjZOPDEAoO4UhzvhnbZWMfP5oCVDpiaXW78DNsy4K n4OphH5Ufx3Nlc8Fybfop92a1eXW6HK2nD12HLA/p5MpuEt1062MOHBK0p63a34kzlrDkN HJs3j91us5w+u2h+wMFfQDtJa5baDVj9vDX3YhMs3MCWhHe3nrN3G/kC/ro/yw== Message-ID: <87lem3kkd7.wl-hako@ultrarare.space> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / Received-SPF: pass client-ip=144.168.59.46; envelope-from=hako@ultrarare.space; helo=mail.boiledscript.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Hilton Chain From: Hilton Chain via Bug reports for GNU Guix Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1673854280; a=rsa-sha256; cv=none; b=sBOt3g79Rvj/tbhSfgV8gqCj/JRMzOJXGvrYiLmzKnevYbTlM8foeu2zJ25Irj8n6xdcnY 10vMkV9rzGuxxxrQvZroTnuTW/v1Cc3+kG6rU8hhe/pPLStfLKEAEla4rfV0MGB4ArKx8t K+tXteYyn251lyGz/mMFckG5FYA71h+VYlR1monj3v3d9J682/6fINrSGBoV5R7hRg7muv 1rize+Rww3tXaMyHZbZmbNYp0nv+rTIJ+/spEQxlvGVbycXDYfkXekeGIIs2ByP6fqO0jB khfOTrDUY6beSzNPoTEbJe5i8zD5qaIsMW4v5zui5Ax4q7uwpQe4UWr6ufmyeA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=ultrarare.space header.s=dkim header.b=ciXzNByL; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1673854280; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=QYt8yw2vhTllUC213VEnWzm2kJth3oGHU0Lf3Sq42NU=; b=RtsIbPptZQ+MWH9wgh97SS3grqsY71mh66PsPuEBao+0QmBhDxtqFYFaQ7hnT1spY8FWgc EH1C0dlAXHwfMR1lrhy+v5ea+t3Iyw6CNHTjnMDbJS+ulDFl7CCAzUQnZA7CyxhFS4LXqt XGV4KT+YvmB+YrmBqGxqeOln69AL/nmyJaK5CH5JUXIKIr2PlozrGj78szPSOdvsLvKoM+ BfSjpox3qCHUS8nJm1ZB1tSg6M9eQ3gc0DWCpaXW7XHyukHwSsLwdTLIQpDELwvOS4Kkjg bTuT8JcXh/KV6Q5yRJ0CXC3z3scEhqX1ZJHBbEhifptN9c0eHzqqke62CrxHVg== X-Migadu-Spam-Score: -3.82 X-Spam-Score: -3.82 X-Migadu-Queue-Id: 842AB3CD22 X-Migadu-Scanner: scn1.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=ultrarare.space header.s=dkim header.b=ciXzNByL; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org X-TUID: g6wOAkeydyfW I encountered the issue when adding a new key to my Guix channel. Though I haven't figured out what happened exactly, I'm currently able to reproduce = the issue with the following steps. 1. Generate two keypairs. Key One with the preset "ECC and ECC", Key Two w= ith "ECC (set your own capabilities)" and only keep the Certify capability, then add a Sign subkey to Key Two. All Curve 25519. #+RESULTS: : /tmp/test/pubring.kbx : --------------------- : sec ed25519/676A52381FFD80C5 2023-01-16 [SC] : Key fingerprint =3D 21D3 9304 CED7 A5CF 50B6 0B80 676A 5238 1FFD 8= 0C5 : uid [ultimate] Key One : ssb cv25519/BA35E2E29D6E4CE4 2023-01-16 [E] : Key fingerprint =3D 450A DF8C 6FE4 AEFF EC75 EBD9 BA35 E2E2 9D6E 4= CE4 : : sec ed25519/06DE4CED9A91AB7B 2023-01-16 [C] : Key fingerprint =3D 4A45 EC76 DA2B 389A FE2F C887 06DE 4CED 9A91 A= B7B : uid [ultimate] Key Two : ssb ed25519/3BE8CD60E408A705 2023-01-16 [S] : Key fingerprint =3D 405C B557 DE1F 1254 B012 640A 3BE8 CD60 E408 A= 705 2. Create a new git repository, commit public keys of the two to the "keyri= ng" branch. Then commit file ".guix-authorizations" to the "main" branch with = the following code: #+begin_src scheme (authorizations (version 0) (("21D3 9304 CED7 A5CF 50B6 0B80 676A 5238 1FFD 80C5" (name "Key One")))) #+end_src Configure git to sign commits with Key One, change the ".guix-authorization= s" file to the following and commit: #+begin_src scheme (authorizations (version 0) (("21D3 9304 CED7 A5CF 50B6 0B80 676A 5238 1FFD 80C5" (name "Key One"))) (("405C B557 DE1F 1254 B012 640A 3BE8 CD60 E408 A705" (name "Key Two")))) #+end_src Then change the signing key to Key Two and add a new commit. Now there're three commits: #+RESULTS: : commit 5240baeebc055187fb738e66e7dbfbb57c0aeba3 (HEAD -> main) : Author: Test : Date: Mon Jan 16 13:53:49 2023 +0800 : : test : : commit a6794b64f9dfa828a5721e3f02c27ab74db9a487 : Author: Test : Date: Mon Jan 16 13:53:17 2023 +0800 : : Authorize Key Two. : : commit c9476062a2f341e9ee95a60d17cf2233b7c55ff4 : Author: Test : Date: Mon Jan 16 13:51:02 2023 +0800 : : Authorize Key One. 3. Invoke `guix git authenticate`...with error. #+begin_src shell guix git authenticate c9476062a2f341e9ee95a60d17cf2233b7c55ff4 "21D3 9304= CED7 A5CF 50B6 0B80 676A 5238 1FFD 80C5" #+end_src #+RESULTS: : Authenticating commits c947606 to 5240bae (1 new commits)... : [########################################################################= ######]guix git: error: commit 5240baeebc055187fb738e66e7dbfbb57c0aeba3 not= signed by an authorized key: 405C B557 DE1F 1254 B012 640A 3BE8 CD60 E408= A705 4. However, if I swap positions of the two fingerprints, it works. New ".guix-authorizations" file: #+begin_src scheme (authorizations (version 0) (("405C B557 DE1F 1254 B012 640A 3BE8 CD60 E408 A705" (name "Key Two"))) (("21D3 9304 CED7 A5CF 50B6 0B80 676A 5238 1FFD 80C5" (name "Key One")))) #+end_src New commits history: #+RESULTS: : commit 7e4d98eea0e89652554d822503096371e5d59f3b (HEAD -> main) : Author: Test : Date: Mon Jan 16 14:52:37 2023 +0800 : : test : : commit a44434b1a9bd955cc897dea4c44abe64d6ab8112 : Author: Test : Date: Mon Jan 16 13:53:49 2023 +0800 : : Swap positions of the two fingerprints. : : commit a6794b64f9dfa828a5721e3f02c27ab74db9a487 : Author: Test : Date: Mon Jan 16 13:53:17 2023 +0800 : : Authorize Key Two. : : commit c9476062a2f341e9ee95a60d17cf2233b7c55ff4 : Author: Test : Date: Mon Jan 16 13:51:02 2023 +0800 : : Authorize Key One. And a new `guix git authenticate` result: #+RESULTS: : Authenticating commits c947606 to 7e4d98e (2 new commits)... =F0=9F=A5=B4