guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bug#22883: Authenticating Git checkouts: step #1

From: Ludovic Courtès
Subject: Re: bug#22883: Authenticating Git checkouts: step #1
Date: Fri, 27 Dec 2019 13:58:36 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) 
Hello Guix!

Ludovic Courtès <address@hidden> skribis:

> To begin with, I propose the attached script: when given a commit range,
> it authenticates each commit, meaning that it ensures commits have a
> valid signature and that that signature was made by one of the
> authorized keys.  Sample session:
>
> $ time ./pre-inst-env guile -e git-authenticate 
> build-aux/git-authenticate.scm d68de958b60426798ed62797ff7c96c327a672ac 
> 099ce5d4901706dc2c5be888a5c8cbf8fcd0d576
> Authenticating d68de95 to 099ce5d (7938 commits)...
> Signing statistics:
>   BCA689B636553801C3C62150197A5888235FACAC       1454
>   3CE464558A84FDC69DB40CFB090B11993D9AEBB5       1025
>   BBB02DDF2CEAF6A80D1DE643A2A06DF2A33A54FA        941
>
> [...]
>
> real  2m21.272s
> user  1m38.741s
> sys   0m59.546s

I’ve now committed this file:

  b3011dbbd2 doc: Mention "make authenticate".
  787766ed1e git-authenticate: Keep a local cache of previously-authenticated 
commits.
  785af04a75 git: 'commit-difference' takes a list of excluded commits.
  1e43ab2c03 Add 'build-aux/git-authenticate.scm'.

Commit 787766ed1e takes care of caching (one of the limitations I
mentioned in my previous message).

Commit b3011dbbd2 adds instructions for contributors on how to
authenticate a checkout (copied below).  It’s a bit bumpy so I would
very much welcome feedback and suggestions on how to improve this!

Thanks in advance!

Ludo’.

--8<---------------cut here---------------start------------->8---
If you want to hack Guix itself, it is recommended to use the latest
version from the Git repository:

     git clone https://git.savannah.gnu.org/git/guix.git

   How do you ensure that you obtained a genuine copy of the repository?
Guix itself provides a tool to “authenticate” your checkout, but you
must first make sure this tool is genuine in order to “bootstrap” the
trust chain.  To do that, run:

     git verify-commit `git log --format=%H build-aux/git-authenticate.scm`

   The output must look something like:

     gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET
     gpg:                using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
     ...
     gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET
     gpg:                using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
     ...

...  meaning that changes to this file are all signed with key
‘3CE464558A84FDC69DB40CFB090B11993D9AEBB5’ (you may need to fetch this
key from a key server, if you have not done it yet).

   From there on, you can authenticate all the commits included in your
checkout by running:

     make authenticate

   The first run takes a couple of minutes, but subsequent runs are
faster.

     Note: You are advised to run ‘make authenticate’ after every ‘git
     pull’ invocation.  This ensures you keep receiving valid changes to
     the repository
--8<---------------cut here---------------end--------------->8---

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]