[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations
|
From: |
John Kehayias |
|
Subject: |
Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations |
|
Date: |
Thu, 11 Aug 2022 15:25:32 +0000 |
Hi everyone,
Thanks for this write-up and discussion Andrew. I'm also following along in [0]
but I'll just chime in here for now.
When I saw this I was worried since I also "just" use subkeys, meaning for all
signing etc. only my subkey is used. These are set to expire each year and then
I renew them. For places like GitLab/Hub, this requires deleting the public key
and re-adding it after I renew keys. Old commits still show as verified.
Anyway, that's my basic usage and I was worried that I would break a (third
party) Guix channel when I was added as a committer. Indeed, that is what just
happened, with the same steps: my primary key fingerprint was added to
.guix-authorizations. GitLab was happy enough verifying the (subkey signed)
commits, and even Cuirass would get the commits and build them. (Side note:
does Cuirass not do guix pull? Why would it not fail to pull just as a user?)
All that is to say that I think the use case of someone only using subkeys is
valid and one we could expect and should handle. Now, the correct and best way
to do that, especially with things like time-travel, I don't know. I just
wanted to note that I think only expecting the primary key (rather than
subkeys) is limiting.
Finally, as a concrete example of this usage, I manage my keys with a hardware
key (YubiKey) and followed this [1] guide to setting up with subkeys that I
renew regularly. The primary key isn't really used for much and I think this
works well, all I manage is renewal every so often.
[0] https://issues.guix.gnu.org/57091
[1] https://github.com/drduh/YubiKey-Guide
John