On 2022-09-02 15:23, Ludovic Courtès wrote: > Hello! > > I’m late to the party, but thanks a lot for sending this analysis! > > Andrew Tropin <and...@trop.in> skribis: > >> * What could be done better? >> - guix pull could be done from local checkout, before pushing. > > Setting a pre-push hook that invokes ‘guix git authenticate’, as > recommended in the manual (info "(guix) Commit Access"), should be > enough: ‘git push’ would just fail in that situation.
For some reason I thought it does git verify-commit, which I used manually to check if commit is signed, but it does make authenticate, which of course works the other way. Missed it, my bad. I have elaborated on this topic a little more in the manual.
From e510ea1595c54bec788485f0638967d457afaf3d Mon Sep 17 00:00:00 2001
From: Andrew Tropin <and...@trop.in>
Date: Mon, 5 Sep 2022 09:46:23 +0300
Subject: [PATCH] doc: Add more info about commits signature local
verification.
* doc/contributing.texi (Commit Access): Add more info about commits signature
local verification.
---
doc/contributing.texi | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/doc/contributing.texi b/doc/contributing.texi
index b1d236c011..17a54f94cc 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -1627,14 +1627,23 @@ git config commit.gpgsign true
git config user.signingkey CABBA6EA1DC0FF33
@end example
-You can prevent yourself from accidentally pushing unsigned commits to
-Savannah by using the pre-push Git hook located at
-@file{etc/git/pre-push}:
+To check that commits are signed with correct key, use:
+
+@example
+make authenticate
+@end example
+
+You can prevent yourself from accidentally pushing unsigned or signed
+with the wrong key commits to Savannah by using the pre-push Git hook
+located at @file{etc/git/pre-push}:
@example
cp etc/git/pre-push .git/hooks/pre-push
@end example
+It additionally calls @code{make check-channel-news} to be sure
+@file{news.scm} file is correct.
+
@subsection Commit Policy
If you get commit access, please make sure to follow
--
2.37.2
>> - Accept subkey on guix pull if master key is in .guix-authorizations. > > Reported at <https://issues.guix.gnu.org/57091>. > >> - Add pre-push hook, which checks authorization on Savannah. > > That one is difficult: Guix is not installed on those machines. > > Another option would be to push to a different machine, one that we > control, and make Savannah a mirror of that one. It can work, but looks fragile. > > Thoughts? Let's ask savannah admins if it possible to install guix on those machines and add pre-receive/update hook? If not, we will look for other options. -- Best regards, Andrew Tropin
signature.asc
Description: PGP signature
