[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Commit pushed to master with unauthorised signature
|
From: |
Taylan Kammer |
|
Subject: |
Re: Commit pushed to master with unauthorised signature |
|
Date: |
Thu, 11 Mar 2021 14:11:38 +0100 |
|
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 |
On 11.03.2021 08:37, Maxime Devos wrote:
> On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote:
>> [...]
>> Damn, sorry about that. I assumed of course that an improperly signed
>> commit would not be accepted, so I didn't pay any special mind.
>>
>> However, I also assumed that adding a new GPG key to my savannah.gnu.org
>> account would be sufficient.
>
> "guix pull" only looks at the git repo (the .guix-authorizations file + the
> keyring branch), and not anything else provided by savannah. Doing so would
> introduce an additional point where the "guix pull" mechanism could be
> compromised. The git repository could as well have been hosted at
> $RANDOM_SPY_AGENCY or $RANDOM_FORGE.
>
> (See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’ and
> ‘7.4 Invoking ‘guix git authenticate’’).
Thanks, makes sense.
I'm hopping workstations recently, and my general habit is to create new
keys on each machine I'm using and register them where ever needed.
(E.g. .ssh/authorized_keys on machines I access, GitHub account, etc.)
I guess I shouldn't do that with Guix push access and instead keep a GPG
key on a USB drive or such.
- Taylan