bug#22883: Authenticating Git checkouts: step #1

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22883: Authenticating Git checkouts: step #1

From:	Jakub Kądziołka
Subject:	bug#22883: Authenticating Git checkouts: step #1
Date:	Tue, 31 Dec 2019 20:16:39 +0100

Hi Guix!

Ludovic Courtès wrote:
> --8<---------------cut here---------------start------------->8---
> If you want to hack Guix itself, it is recommended to use the latest
> version from the Git repository:
> 
>      git clone https://git.savannah.gnu.org/git/guix.git
> 
>    How do you ensure that you obtained a genuine copy of the repository?
> Guix itself provides a tool to “authenticate” your checkout, but you
> must first make sure this tool is genuine in order to “bootstrap” the
> trust chain.  To do that, run:
> 
>      git verify-commit `git log --format=%H build-aux/git-authenticate.scm`
> 
>    The output must look something like:
> 
>      gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET
>      gpg:                using RSA key 
> 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
>      ...
>      gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET
>      gpg:                using RSA key 
> 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
>      ...
> 
> ...  meaning that changes to this file are all signed with key
> ‘3CE464558A84FDC69DB40CFB090B11993D9AEBB5’ (you may need to fetch this
> key from a key server, if you have not done it yet).
> 
>    From there on, you can authenticate all the commits included in your
> checkout by running:
> 
>      make authenticate
> 
>    The first run takes a couple of minutes, but subsequent runs are
> faster.
> 
>      Note: You are advised to run ‘make authenticate’ after every ‘git
>      pull’ invocation.  This ensures you keep receiving valid changes to
>      the repository
> --8<---------------cut here---------------end--------------->8---

Sadly, these instructions don't work from a fresh clone. There is only
Makefile.am and no Makefile itself, so you get

$ make authenticate
make: *** No rule to make target 'authenticate'.  Stop.

Moreover, I don't think running 'make authenticate' after 'git pull'
would really work -- after you pulled, git-authenticate could've been
modified, so the verify-commit you did earlier doesn't apply anymore.

There's also the issue of trusting pre-inst-env, which is used to run
the verification. Should that be passed to 'git log --format=%H' next to
git-authenticate.scm? This also applies to any scripts you use to drive
this process, like the Makefile.

Regards,
Kuba

[Prev in Thread]

Current Thread

[Next in Thread]

bug#22883: Authenticating Git checkouts: step #1, Ludovic Courtès, 2019/12/20
- bug#22883: Authenticating Git checkouts: step #1, zimoun, 2019/12/20
- bug#22883: Authenticating Git checkouts: step #1, Ludovic Courtès, 2019/12/27
  - bug#22883: Authenticating Git checkouts: step #1, Ricardo Wurmus, 2019/12/27
    - bug#22883: Authenticating Git checkouts: step #1, Vagrant Cascadian, 2019/12/28
    - bug#22883: Authenticating Git checkouts: step #1, Efraim Flashner, 2019/12/29
    - bug#22883: Authenticating Git checkouts: step #1, Ludovic Courtès, 2019/12/30
- bug#22883: Authenticating Git checkouts: step #1, Jakub Kądziołka <=

Prev by Date: bug#38529: Make --ad-hoc the default for guix environment proposed deprecation mechanism
Next by Date: bug#38836: guix refresh: Too many open files
Previous by thread: bug#22883: Authenticating Git checkouts: step #1
Next by thread: bug#38700: Yoshimi 1.6.1 source hash mismatch
Index(es):
- Date
- Thread