[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#22883: Authenticating Git checkouts: step #1
|
From: |
Efraim Flashner |
|
Subject: |
bug#22883: Authenticating Git checkouts: step #1 |
|
Date: |
Sun, 29 Dec 2019 09:34:32 +0200 |
On Sat, Dec 28, 2019 at 06:45:34PM -0800, Vagrant Cascadian wrote:
> On 2019-12-27, Ricardo Wurmus wrote:
> >> b3011dbbd2 doc: Mention "make authenticate".
> >> 787766ed1e git-authenticate: Keep a local cache of
> >> previously-authenticated commits.
> >> 785af04a75 git: 'commit-difference' takes a list of excluded commits.
> >> 1e43ab2c03 Add 'build-aux/git-authenticate.scm'.
> >>
> >> Commit 787766ed1e takes care of caching (one of the limitations I
> >> mentioned in my previous message).
> >>
> >> Commit b3011dbbd2 adds instructions for contributors on how to
> >> authenticate a checkout (copied below). It’s a bit bumpy so I would
> >> very much welcome feedback and suggestions on how to improve this!
> >
> > This is great!
>
> Yes! Yes!
>
>
> > Thank you for the instructions. I thought I had all keys, but
> > apparently at least one of them is missing. “make authenticate” fails
> > for me with this error:
> >
> > Throw to key `srfi-34' with args `(#<condition &message [message: "could
> > not authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key
> > B943509D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'.
> >
> > I previously downloaded the gpg keyring from Savannah:
> >
> > https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix
> >
> > Looks like Hartmut used to use a different key, which I don’t have.
>
> I got this too, and manually worked around it by downloading
> guix-keyring.gpg from:
>
>
> https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1
>
> And running:
>
> gpg --no-default-keyring --keyring
> ~/.config/guix/keyrings/channels/guix.kbx --import ~/guix-keyring.gpg
>
Thanks for the hint. I started with importing the keyring into my normal
keyring but I see now we have another keyring for this specifically.
(another being the user default, ~/.config/guix/upstream/trustedkeys.kbx
and now this one)
> It seems to be working now... how is the keyring *supposed* to be
> populated? Before I manually imported guix-keyring.gpg into guix.kbx,
> there were a very small number of keys present.
>
>
> It's a little awkward that it uses the fingerprint of the signing key
> rather than the primary key, as by default things like "gpg --list-keys"
> do not display the fingerprint of signing keys, only the primary key, so
> it is an adventure in gpg commandline options to correlate them.
>
> "gpg log --show-signature" also reports the the primary key fingerprint,
> if the key is available in the keyring, and only the subkey fingerprint
> for unknown keys if I remember correctly.
>
> It would be nice if the statistics would display the primary uid
> instead, as it is something a little more human readable, and the
> primary key fingerprint, as it is a little easier to find. :)
>
>
> I'm hoping the eventual goal is to integrate this into guix pull?
>
>
> Very nice to see progress on this issue!
>
>
> live well,
> vagrant
--
Efraim Flashner <address@hidden> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature