From mboxrd@z Thu Jan 1 00:00:00 1970 From: Amin Bandali Subject: Additional GPG key needed when verifying git-authenticate Date: Sat, 28 Mar 2020 20:29:41 -0400 Message-ID: <87tv28ype2.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:49368) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jILpi-0001lF-2P for guix-devel@gnu.org; Sat, 28 Mar 2020 20:29:47 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org Sender: "Guix-devel" To: Guix-devel --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Guix, I'll get right to the point: I goofed up earlier tonight, and pushed to master a commit [0] modifying build-aux/git-authenticate.scm. Since we're all to sign our commits, as a result, in addition to Ludo=E2=80=99s k= ey you now need to add my GPG key to your keyring as well, before invoking git-verify-commit on that file as shown in the manual. [0]: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3Dc2cf286c62933d= 2806ae17b8287520820bf87c7e Backstory: as I myself had not yet started using git-authenticate, I had not read the bit about it in the manual. And it did not occur to me to do a git-blame or git-log on the file before committing to it, in order for me to notice that until that point only Ludo=E2=80=99 had committed to = it. Chatting with Ludo=E2=80=99 and others in #guix, it seems that it's not too= far fetched for committers to update their own keys and information in the git-authenticate script, and I just happened to be the first person walking into it. :-) As such, the manual will be updated to clarify that keys other than Ludo=E2=80=99s have been used to sign commits to build-aux/git-authenticate= .scm, and folks looking to verify and use the script need to fetch them from the respective committers' Savannah profile in addition to Ludo=E2=80=99s k= ey. fishyfriend on #guix kindly volunteered to send a patch clarifying this. For those looking to fetch my GPG key in order to verify the legitimacy of my commit(s) to git-authenticate, you can get a copy of my key from my Savannah profile [1]; or since I happen to be a GNU maintainer, from the GNU maintainers keyring [2]. The key is the same one I have used to sign my previous commits to guix.git with, and the one I have signed my messages to this list with, including this very message, with primary fingerprint BE62 7373 8E61 6D6D 1B3A 08E8 A21A 0202 4881 6103, and signing subkey 39B3 3C8D 9448 0D2D DCC2 A498 8B44 A0CD C7B9 56F2. [1]: https://savannah.gnu.org/users/bandali [2]: https://ftp.gnu.org/gnu/gnu-keyring.gpg Sorry for any inconvenience or confusion this may have caused. Best, amin --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEObM8jZRIDS3cwqSYi0Sgzce5VvIFAl5/6/UACgkQi0Sgzce5 VvL3ow//ftossqMUX4jpKDa/3Uq/1PMPaDKfh/2PgfNeQcOA/w7vd4Hg9sNQL4Ev bs5nzg1Eb6lqntYxp0IP0Tw/YarOAbVqsjDEmtDah8qg5IelGRaQepJCrQXs5Yr9 KyWl4KtGcXFW0lYq06SwUYWB4MBLiot5+WxqQx+ObE/Qe669e+t5m7ZLZfTSQop0 GUWV2U5Vksv26QT0nxG6HnLJdTdsLYMrOA+g5Oar5a2KpLhZxZ60nsQibS5Fscjz MttwMhRIqcFn9vBRyWasorzRpRZ8WOWqcb+17+d/w2lDDIxWwILHbG4fjN0UXmVV v7012/N8NCm4mkCs212D72Q8RE0RwSxtzcre+pdoG6mGWWuY2WxBXj7IiNUjfk2w qzhzuZKIbODFusVROraxCY5S4X8WcbDNKsIMFBPD9ReKuvCe2+vOYRfuqNA//N5r 1UeHFkJisTjCrALqZrKUIo6Hk4XFfD8tTKokcHfCbsT6g7HpmVIAD+jy30lzlvpD gAMyHmTNz+QTxQ7B+D+1tt8Jk8CXlApVb02tE5SMBoMe1fGiYQ5+lQ6auFe++cFo /MCKcRg6o57ddG4ysQzqAB4Jd3OQEGz8GoVVW1VubisFAHb2VatutDGUseyAOUp9 aVfxpzclN2l4eR18Q7p+35UhlxhYZ9hq9P6aVLLjOKFraYgivQc= =07vP -----END PGP SIGNATURE----- --=-=-=--