[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Commit pushed to master with unauthorised signature

From: Maxime Devos
Subject: Re: Commit pushed to master with unauthorised signature
Date: Thu, 11 Mar 2021 08:37:16 +0100
User-agent: Evolution 3.34.2

On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote:
> [...]
> Damn, sorry about that.  I assumed of course that an improperly signed
> commit would not be accepted, so I didn't pay any special mind.
> However, I also assumed that adding a new GPG key to my
> account would be sufficient.

"guix pull" only looks at the git repo (the .guix-authorizations file + the
keyring branch), and not anything else provided by savannah.  Doing so would
introduce an additional point where the "guix pull" mechanism could be
compromised.  The git repository could as well have been hosted at

(See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’ and
‘7.4 Invoking ‘guix git authenticate’’).

> Are the GPG keys added to one's Savannah account unrelated to commit
> signing in the Guix repo,

Yes (though they probably are same in practice).

> or are they not automatically synced,

Yes, they aren't.

> this a further bug?..

No, savannah is not ‘trusted’ beyond being online, as that would introduce
another point where "guix pull" could be compromised.


Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to

[Prev in Thread] Current Thread [Next in Thread]