[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bug#22883: Authenticating Git checkouts: step #1

From: Vagrant Cascadian
Subject: Re: bug#22883: Authenticating Git checkouts: step #1
Date: Sat, 28 Dec 2019 18:45:34 -0800

On 2019-12-27, Ricardo Wurmus wrote:
>>   b3011dbbd2 doc: Mention "make authenticate".
>>   787766ed1e git-authenticate: Keep a local cache of 
>> previously-authenticated commits.
>>   785af04a75 git: 'commit-difference' takes a list of excluded commits.
>>   1e43ab2c03 Add 'build-aux/git-authenticate.scm'.
>> Commit 787766ed1e takes care of caching (one of the limitations I
>> mentioned in my previous message).
>> Commit b3011dbbd2 adds instructions for contributors on how to
>> authenticate a checkout (copied below).  It’s a bit bumpy so I would
>> very much welcome feedback and suggestions on how to improve this!
> This is great!

Yes! Yes!

> Thank you for the instructions.  I thought I had all keys, but
> apparently at least one of them is missing.  “make authenticate” fails
> for me with this error:
> Throw to key `srfi-34' with args `(#<condition &message [message: "could not 
> authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key 
> B943509D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'.
> I previously downloaded the gpg keyring from Savannah:
> Looks like Hartmut used to use a different key, which I don’t have.

I got this too, and manually worked around it by downloading
guix-keyring.gpg from:

And running:

  gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/guix.kbx 
--import ~/guix-keyring.gpg

It seems to be working now... how is the keyring *supposed* to be
populated? Before I manually imported guix-keyring.gpg into guix.kbx,
there were a very small number of keys present.

It's a little awkward that it uses the fingerprint of the signing key
rather than the primary key, as by default things like "gpg --list-keys"
do not display the fingerprint of signing keys, only the primary key, so
it is an adventure in gpg commandline options to correlate them.

"gpg log --show-signature" also reports the the primary key fingerprint,
if the key is available in the keyring, and only the subkey fingerprint
for unknown keys if I remember correctly.

It would be nice if the statistics would display the primary uid
instead, as it is something a little more human readable, and the
primary key fingerprint, as it is a little easier to find. :)

I'm hoping the eventual goal is to integrate this into guix pull?

Very nice to see progress on this issue!

live well,

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]