Hey! Ludovic Courtès <l...@gnu.org> skribis:
> • Load the keyring from files in the repo, possibly in a dedicated > branch. > > • Load the list of authorized keys from the parent of the commit being > authenticated. Done! 8916c2fa32 git-authenticate: Load the keyring from the repository. 6960064ddc git-authenticate: Load the list of authorized keys from the tree. f145a2d1a9 .guix-authorizations: Augment. 62ae43db19 git-authenticate: Use (guix openpgp). ‘git-authenticate’ now loads the keyring from the “keyring” branch, which I’ve just pushed as an “orphan” branch: https://git.savannah.gnu.org/cgit/guix.git/?h=keyring So no need to store the keyring out-of-band, to spawn gpg to fetch keys from somewhere else, etc. The idea is that we’ll keep adding new keys to this branch every time a new committer joins. We would never remove keys from there because those keys are necessary to verify signatures. The fact that a key is present on that branch does _not_ mean that it designates an authorized committer today. The list of authorized committers is meant to be stored in a ‘.guix-authorizations’ file in each branch of the channel. It is essentially a list of fingerprints: https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-openpgp&id=f145a2d1a982cc841c7ccae3334d4783dad24a1e To accept a new committer, an authorized committer must add its key to this file in the branch(es) where that person is expected to commit. The format currently accepts additional data for each fingerprint. It’s currently ignored, but I thought it could be useful in the future, for instance if we want to associate a file pattern with a key. A commit is considered “authorized” if and only if its signing key is listed in the ‘.guix-authorizations’ file of its parent commit(s). In ‘git-authenticate’, this is implemented in a naive unoptimized way, but it turns out to make no noticeable difference on the wall-clock time to authenticate those 14K+ commits. The crux of the authorization mechanism is this procedure: (define* (commit-authorized-keys repository commit #:optional (default-authorizations '())) "Return the list of OpenPGP fingerprints authorized to sign COMMIT, based on authorizations listed in its parent commits. If one of the parent commits does not specify anything, fall back to DEFAULT-AUTHORIZATIONS." …) Feedback welcome! Ludo’.
