bug#22883: Authenticating Git checkouts: step #1

[Ludovic Courtès]

Hello,

Jakub Kądziołka <address@hidden> skribis:

> Ludovic Courtès wrote:

[...]

>>    How do you ensure that you obtained a genuine copy of the repository?
>> Guix itself provides a tool to “authenticate” your checkout, but you
>> must first make sure this tool is genuine in order to “bootstrap” the
>> trust chain.  To do that, run:
>> 
>>      git verify-commit `git log --format=%H build-aux/git-authenticate.scm`
>> 
>>    The output must look something like:
>> 
>>      gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET
>>      gpg:                using RSA key 
>> 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
>>      ...
>>      gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET
>>      gpg:                using RSA key 
>> 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
>>      ...
>> 
>> ...  meaning that changes to this file are all signed with key
>> ‘3CE464558A84FDC69DB40CFB090B11993D9AEBB5’ (you may need to fetch this
>> key from a key server, if you have not done it yet).
>> 
>>    From there on, you can authenticate all the commits included in your
>> checkout by running:
>> 
>>      make authenticate
>> 
>>    The first run takes a couple of minutes, but subsequent runs are
>> faster.
>> 
>>      Note: You are advised to run ‘make authenticate’ after every ‘git
>>      pull’ invocation.  This ensures you keep receiving valid changes to
>>      the repository
>> --8<---------------cut here---------------end--------------->8---
>
> Sadly, these instructions don't work from a fresh clone. There is only
> Makefile.am and no Makefile itself, so you get
>
> $ make authenticate
> make: *** No rule to make target 'authenticate'.  Stop.

Uh, good point.

> Moreover, I don't think running 'make authenticate' after 'git pull'
> would really work -- after you pulled, git-authenticate could've been
> modified, so the verify-commit you did earlier doesn't apply anymore.

It works as long as I’m the only one modifying it (the instructions
above explicitly mention my OpenPGP key).

This is obviously suboptimal though.  In a comment in
‘contributing.texi’, I wrote:

  @c XXX: Adjust instructions when there's a known tag to start from.

That would simplify things.

> There's also the issue of trusting pre-inst-env, which is used to run
> the verification. Should that be passed to 'git log --format=%H' next to
> git-authenticate.scm? This also applies to any scripts you use to drive
> this process, like the Makefile.

Yes, this ./pre-inst-env thing and more generally the fact that we’re
potentially running just-pulled code to authenticate the code is a
problem.

We can solve it by removing ./pre-inst-env from the command in ‘make
authenticate’.  It will require people to have a recent-enough Guix
already installed (in particular with commit
f94f9d67e65975724ee5b5cbc936c0895a258685), but I think that’s
unavoidable: the assumption will be that we trust the already-installed
host tools and use them to authenticate the new code.

Thoughts?

Ludo’.