bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22883: Authenticating a Git checkout

From: Ludovic Courtès
Subject: bug#22883: Authenticating a Git checkout
Date: Fri, 01 May 2020 19:04:41 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) 
Hey!

Ludovic Courtès <address@hidden> skribis:

>   • Load the keyring from files in the repo, possibly in a dedicated
>     branch.
>
>   • Load the list of authorized keys from the parent of the commit being
>     authenticated.

Done!

  8916c2fa32 git-authenticate: Load the keyring from the repository.
  6960064ddc git-authenticate: Load the list of authorized keys from the tree.
  f145a2d1a9 .guix-authorizations: Augment.
  62ae43db19 git-authenticate: Use (guix openpgp).

‘git-authenticate’ now loads the keyring from the “keyring” branch,
which I’ve just pushed as an “orphan” branch:

  https://git.savannah.gnu.org/cgit/guix.git/?h=keyring

So no need to store the keyring out-of-band, to spawn gpg to fetch keys
from somewhere else, etc.  The idea is that we’ll keep adding new keys
to this branch every time a new committer joins.  We would never remove
keys from there because those keys are necessary to verify signatures.
The fact that a key is present on that branch does _not_ mean that it
designates an authorized committer today.

The list of authorized committers is meant to be stored in a
‘.guix-authorizations’ file in each branch of the channel.  It is
essentially a list of fingerprints:

  
https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-openpgp&id=f145a2d1a982cc841c7ccae3334d4783dad24a1e

To accept a new committer, an authorized committer must add its key to
this file in the branch(es) where that person is expected to commit.
The format currently accepts additional data for each fingerprint.  It’s
currently ignored, but I thought it could be useful in the future, for
instance if we want to associate a file pattern with a key.

A commit is considered “authorized” if and only if its signing key is
listed in the ‘.guix-authorizations’ file of its parent commit(s).

In ‘git-authenticate’, this is implemented in a naive unoptimized way,
but it turns out to make no noticeable difference on the wall-clock time
to authenticate those 14K+ commits.  The crux of the authorization
mechanism is this procedure:

  (define* (commit-authorized-keys repository commit
                                   #:optional (default-authorizations '()))
    "Return the list of OpenPGP fingerprints authorized to sign COMMIT, based on
  authorizations listed in its parent commits.  If one of the parent commits
  does not specify anything, fall back to DEFAULT-AUTHORIZATIONS."
    …)

Feedback welcome!

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]