[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Commit pushed to master with unauthorised signature

From: Taylan Kammer
Subject: Re: Commit pushed to master with unauthorised signature
Date: Thu, 11 Mar 2021 14:11:38 +0100
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1

On 11.03.2021 08:37, Maxime Devos wrote:
> On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote:
>> [...]
>> Damn, sorry about that.  I assumed of course that an improperly signed
>> commit would not be accepted, so I didn't pay any special mind.
>> However, I also assumed that adding a new GPG key to my
>> account would be sufficient.
> "guix pull" only looks at the git repo (the .guix-authorizations file + the
> keyring branch), and not anything else provided by savannah.  Doing so would
> introduce an additional point where the "guix pull" mechanism could be
> compromised.  The git repository could as well have been hosted at
> (See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’ and
> ‘7.4 Invoking ‘guix git authenticate’’).

Thanks, makes sense.

I'm hopping workstations recently, and my general habit is to create new
keys on each machine I'm using and register them where ever needed.
(E.g. .ssh/authorized_keys on machines I access, GitHub account, etc.)

I guess I shouldn't do that with Guix push access and instead keep a GPG
key on a USB drive or such.

- Taylan

reply via email to

[Prev in Thread] Current Thread [Next in Thread]