[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Commit pushed to master with unauthorised signature

From: Tobias Geerinckx-Rice
Subject: Commit pushed to master with unauthorised signature
Date: Wed, 10 Mar 2021 22:22:24 +0100


I have very little time to write a proper post-mortem. Luckily, thanks to the prompt help of rwp of #savannah fame and Ludo's sane ‘guix pull’ design, there's not much to report, although there's something to improve.

Despite the scary title, at no point did anything untoward or malicious happen. Users were not at risk.

Earlier today the following commit was pushed to master:

--8<---------------cut here---------------start------------->8---
commit 15092548804b6c50ea276d098f76a79bd0042398
gpg: Signature made Wed Mar 10 19:55:39 2021 CET
gpg: using RSA key 51A0982A58B64622464833085EEB3986CB2F65ED gpg: Good signature from "Taylan Kammer (Debian10VM) <>" [unknown] Primary key fingerprint: 51A0 982A 58B6 4622 4648 3308 5EEB 3986 CB2F 65ED
Author: Taylan Kammer <>

   gnu: guile-bytestructures: Update to 1.0.10.

* gnu/packages/guile.scm (guile-bytestructures): Update to 1.0.10.
--8<---------------cut here---------------end--------------->8---

The key with fingerprint 51A0 982A 58B6 4622 4648 3308 5EEB 3986 CB2F 65ED is not present in .guix-authorizations, nor in the ‘keyring’ branch. This broke ‘guix pull’ for all users[0]:

--8<---------------cut here---------------start------------->8---
guix pull: error: could not authenticate commit 15092548804b6c50ea276d098f76a79bd0042398: key 51A0 982A 58B6 4622 4648 3308 5EEB 3986 CB2F 65ED is missing
--8<---------------cut here---------------end--------------->8---

The only solution to that is to remove the offending commit upstream. Our Savannah git repository does not allow deleting or force-pushing master for safety reasons. Helpful Bob Proulx of the Savannah team manually reset the remote master branch back to the previous[1] commit.

I have pushed Taylan's commit as b1eb7448370bbd4d494cf9f3fddae88dd0de2ca3, signed with my own key.

The good news is that ‘guix pull’ commit authentication has passed real-world testing, and that the mess was relatively transparent to users: ‘guix pull’ continues to work without extra options, even for those who pulled between 150925 and b1eb74 and got a scary error.

The less-good news is that our remote git hook should never have allowed this to happen in the first place, and that this weakness has been known for... well, a while[2]. Any committer can DoS guix pull in a way that even the maintainers can't fix unaided.

This also highlights the fact that many people[3] are currently unconditionally trusted with commit access. This includes ‘currently inactive members’: Savannah has no way to disable or even restrict commit access (to specific branches, subdirectories, or even repositories(?)) without removing membership altogether. The chance of mistakes, key confusion, forgotten commit privileges grows.

lfam has started removing certain inactive people from this list, but removing people is not a fun job nor something one proactive volunteer should be tasked with alone.

Kind regards,


[1]: 60174c9c8c307be43450af38ce7c4e268278e07c,

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]