[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#50814] [PATCH] guix: git-authenticate: Also authenticate the channe
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#50814] [PATCH] guix: git-authenticate: Also authenticate the channel intro commit. |
|
Date: |
Sat, 09 Oct 2021 15:53:24 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi Attila,
Attila Lendvai <attila@lendvai.name> skribis:
> * guix/git-authenticate.scm (authenticate-commit): Reword and extend the error
> message to point to the relevant part of the manual.
> (authenticate-repository): Explicitly authenticate the channel introduction
> commit, so that it's also rejected unless it is signed by an authorized
> key. Otherwise only the second commit would yield an error, which
> is confusing.
This behavior is intentional and documented (info "(guix) Specifying
Channel Authorizations"):
Channel introductions answer these questions by describing the first
commit of a channel that should be authenticated. The first time a
channel is fetched with ‘guix pull’ or ‘guix time-machine’, the command
looks up the introductory commit and verifies that it is signed by the
specified OpenPGP key. From then on, it authenticates commits according
to the rule above.
[…]
The channel introduction, as we saw above, is the commit/key
pair—i.e., the commit that introduced ‘.guix-authorizations’, and
the fingerprint of the OpenPGP used to sign it.
By definition, parent commits of the introduction do not (not
necessarily) provide ‘.guix-authorizations’. So there’s nothing to be
done here, other than checking that the introductory commit is indeed
signed by the key specified in the introduction.
Does that make sense?
(Other patches you posted in this thread might be useful though, but we
can discuss them independently.)
Thanks,
Ludo’.
PS: If you haven’t already, you can take a look at the following pages
for more on the design rationale:
https://guix.gnu.org/en/blog/2020/securing-updates/
https://issues.guix.gnu.org/22883#69