bug#22883: Authenticating a Git checkout

Hi, John Soo skribis: > I like this idea a lot since I use a checkout which I guess constitutes > a "fork" in this scenario. I opened bug#41604 > (http://issues.guix.gnu.org/issue/41604) after having trouble with a > rebase based workflow. Some of my problems certainly come from my lack > of u

bug#22883: Authenticating a Git checkout

Hi Ludo, I like this idea a lot since I use a checkout which I guess constitutes a "fork" in this scenario. I opened bug#41604 (http://issues.guix.gnu.org/issue/41604) after having trouble with a rebase based workflow. Some of my problems certainly come from my lack of understanding of the authe

bug#22883: Authenticating a Git checkout

Hello! Ludovic Courtès skribis: > The list of authorized committers is meant to be stored in a > ‘.guix-authorizations’ file in each branch of the channel. It is > essentially a list of fingerprints: > > > https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-openpgp&id=f145a2d1a982cc841c

bug#22883: Authenticating a Git checkout

Hi! Ludovic Courtès skribis: > Done the API cleanup. I’ll go ahead and push the current ‘wip-openpgp’ > branch (squashing commits marked as such) tomorrow if there are no > objections. Pushed on master! 4a84deda74 doc: Recommend against SHA1 OpenPGP signatures. 84133320b8 doc: Document co

bug#22883: Authenticating a Git checkout

Ludovic Courtès skribis: > Next steps: > > • Clean up the (guix openpgp) API a bit, for instance by using proper > SRFI-35 error conditions. Done the API cleanup. I’ll go ahead and push the current ‘wip-openpgp’ branch (squashing commits marked as such) tomorrow if there are no objections

bug#22883: Authenticating a Git checkout

Ludovic Courtès skribis: > • Generalize that to channels. As I see it, the generalization would be made by adding the authentication parameters to the ‘.guix-channel’ file, along these lines: (channel (version 0) (keyring-reference "my-keyring-branch") (historical-authorizations

bug#22883: Authenticating a Git checkout

Hey! Ludovic Courtès skribis: > • Load the keyring from files in the repo, possibly in a dedicated > branch. > > • Load the list of authorized keys from the parent of the commit being > authenticated. Done! 8916c2fa32 git-authenticate: Load the keyring from the repository. 6960

bug#22883: Authenticating a Git checkout

Hi Justus, Justus Winter skribis: > Ludovic Courtès writes: [...] >> Signature verification in (guix openpgp) does just that: signature >> verification. It does not validate signature and key metadata, in >> particular expiration date. I guess it should at least error out when a >> signatur

bug#22883: Authenticating a Git checkout

Ludovic Courtès writes: > At this stage, ‘make authenticate’ uses the pure-Scheme implementation > (based on Göran Weinholt’s code, heavily modified). It can authenticate > 14K+ commits in ~20s instead of 4m20s on my laptop, which is really > nice. Neat :) > Signature verification in (guix ope

bug#22883: Authenticating a Git checkout

Hi there! Ludovic Courtès skribis: >> You mentioned that checking signatures on commits is also kinda slow >> because it’s sequential and not cached. I don’t know what I really >> want, but is there perhaps a way to aggregate signatures on past commits >> so that the client’s work is reduced…?

bug#22883: Authenticating a Git checkout

Hi, Ricardo Wurmus skribis: > Ludovic Courtès writes: > >> The caching implemented in 787766ed1e7f0806a98e696830542da528f957bb >> makes things acceptable: the first “make authenticate” run takes a bit >> more than two minutes to check all the commits starting from ‘v1.0.1’, >> but subsequent ru

bug#22883: Authenticating a Git checkout

Ludovic Courtès writes: > The caching implemented in 787766ed1e7f0806a98e696830542da528f957bb > makes things acceptable: the first “make authenticate” run takes a bit > more than two minutes to check all the commits starting from ‘v1.0.1’, > but subsequent runs take a few seconds. This sounds

bug#22883: Authenticating a Git checkout

Hello! Ricardo Wurmus skribis: > Ludovic Courtès writes: > [...] >> While reading >> , I >> realized we could store in empty Git commit messages, which would >> address the above problem (we could use a custom object type too, bu

bug#22883: Authenticating a Git checkout

Ludovic Courtès writes: > Hello, > > Just a note for later… > > l...@gnu.org (Ludovic Courtès) skribis: > >> With the quick-hack libgit2 bindings attached, I can run this program, >> which authenticates HEAD: > > [...] > >> So I think we can go from here. Our repo would contain a Scheme list o

bug#22883: Authenticating a Git checkout

Hello, Just a note for later… l...@gnu.org (Ludovic Courtès) skribis: > With the quick-hack libgit2 bindings attached, I can run this program, > which authenticates HEAD: [...] > So I think we can go from here. Our repo would contain a Scheme list of > authorized OpenPGP fingerprints, and we’

bug#22883: Authenticating a Git checkout

Hello! "Thompson, David" skribis: > On Fri, Jul 22, 2016 at 4:22 AM, Ludovic Courtès wrote: > >> It Would Be Nice if the libgit2 bindings were maintained separately. We >> can start with just the features we need as (guix git), but if anyone >> wants to “externalize” it and improve it, that wo

bug#22883: Authenticating a Git checkout

Hi Ludo, This is some awesome work! On Fri, Jul 22, 2016 at 4:22 AM, Ludovic Courtès wrote: > It Would Be Nice if the libgit2 bindings were maintained separately. We > can start with just the features we need as (guix git), but if anyone > wants to “externalize” it and improve it, that would b

bug#22883: Authenticating a Git checkout

Hi! l...@gnu.org (Ludovic Courtès) skribis: > Sixth, OK, we’ll use libgit2, and write Guile bindings, maybe based on > the CHICKEN bindings², easy! Well no, it turns out that libgit2³ has no > support for signed commits (the ‘signature’ abstraction there has > nothing to do with OpenPGP signatur

bug#22883: Authenticating a Git checkout

On 2016-06-04(12:45:16PM+), ng0 wrote: > On 2016-06-04(01:17:53+0200), Ludovic Courtès wrote: > > Hi! > > > > Mike Gerwitz skribis: > > > > > On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Courtès wrote: > > >> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and > > >> th

bug#22883: Authenticating a Git checkout

Hello, Mike Gerwitz skribis: > But there doesn't seem to be any way to secure a git repository against > a second-preimage attack. That’s by large beyond the scope of this discussion. :-) I think all we want is to allow someone who gets a checkout of Guix to authenticate the source code, i.e.

bug#22883: Authenticating a Git checkout

On Sun, Jun 05, 2016 at 15:39:04 -0500, Christopher Allan Webber wrote: > One theoretical optimization: if I verify the DAG, could I store > somewhere that I've verified from commit cabba6e and upward already, so > the next time I verify it only has to verify the new commits? tbh, I haven't given

bug#22883: Authenticating a Git checkout

On Sun, Jun 05, 2016 at 03:39:04PM -0500, Christopher Allan Webber wrote: > One theoretical optimization: if I verify the DAG, could I store > somewhere that I've verified from commit cabba6e and upward already, so > the next time I verify it only has to verify the new commits? AIUI `git verify-co

bug#22883: Authenticating a Git checkout

Ludovic Courtès writes: >>> Second, even if it did, it would be a shallow check: as Mike notes in >>> with the ‘signchk’ >>> script, you actually have to traverse the whole commit history and >>> authenticate them one by one. But that’s OK, it run

bug#22883: Authenticating a Git checkout

On 2016-06-04(01:17:53+0200), Ludovic Courtès wrote: > Hi! > > Mike Gerwitz skribis: > > > On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Courtès wrote: > >> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and > >> there’s no way to set it globally. > > > > That's unfortunate

bug#22883: Authenticating a Git checkout

On Sat, Jun 04, 2016 at 13:17:53 +0200, Ludovic Courtès wrote: > We have incomplete libgcrypt bindings: > > http://git.savannah.gnu.org/cgit/guix.git/tree/guix/pk-crypto.scm > > This is used for the authentication of substitutes: > > https://www.gnu.org/software/guix/manual/html_node/Substitute

bug#22883: Authenticating a Git checkout

Hi! Mike Gerwitz skribis: > On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Courtès wrote: >> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and >> there’s no way to set it globally. > > That's unfortunate. Does your checkout scenario include a fresh clone? > If so, a pull

bug#22883: Authenticating a Git checkout

Leo Famulari skribis: > On Fri, Jun 03, 2016 at 06:12:47PM +0200, Ludovic Courtès wrote: >> Hello! >> >> So we sign Git commits, and now we want to authenticate Git checkouts. >> There’s a series of bad news. >> >> First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and >> ther

bug#22883: Authenticating a Git checkout

Ludo: On Fri, Jun 03, 2016 at 18:12:47 +0200, Ludovic Courtès wrote: > First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and > there’s no way to set it globally. That's unfortunate. Does your checkout scenario include a fresh clone? If so, a pull flag wouldn't help there. Leo

bug#22883: Authenticating a Git checkout

On Fri, Jun 03, 2016 at 06:12:47PM +0200, Ludovic Courtès wrote: > Hello! > > So we sign Git commits, and now we want to authenticate Git checkouts. > There’s a series of bad news. > > First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and > there’s no way to set it globally. S

bug#22883: Authenticating a Git checkout

Hello! So we sign Git commits, and now we want to authenticate Git checkouts. There’s a series of bad news. First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and there’s no way to set it globally. Second, even if it did, it would be a shallow check: as Mike notes in