Hello,

Just a note for later…

l...@gnu.org (Ludovic Courtès) skribis:

> With the quick-hack libgit2 bindings attached, I can run this program,
> which authenticates HEAD:

[...]

> So I think we can go from here.  Our repo would contain a Scheme list of
> authorized OpenPGP fingerprints, and we’d check whether the fingerprint
> that shows up in ‘valid-signature’ above is among them

Storing the list of authorized keys in a file in the repo is
inconvenient: simply to retrieve it, you’d need to make a checkout.  So
for each commit we verify, we have to check out the whole repo, which is
inefficient.

While reading
<http://karl.kornel.us/2017/10/welp-there-go-my-git-signatures/>, I
realized we could store in empty Git commit messages, which would
address the above problem (we could use a custom object type too, but
that would be less convenient.)

So the special commit could look like:

  Authorization

  (commit-authorizations
    (authorization-commit (KEY1 KEY2 …))
    (files ("hydra.gnu.org.pub") (KEY1 KEY2 …))
    (files _ (KEY1 KEY2 …))) ;all other files

That way, to authenticate a commit, we first fetch the latest
authorization commit, read the authorization rules from there, and make
sure that the changes it makes match the rules.

Thoughts?

Ludo’.



Reply via email to