[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Commit pushed to master with unauthorised signature

From: Julien Lepiller
Subject: Re: Commit pushed to master with unauthorised signature
Date: Thu, 11 Mar 2021 10:16:13 -0500
User-agent: K-9 Mail for Android

Also, make sure to install the pre-push hook, it should not have let you commit without checking your commits were properly recognised.

Le 11 mars 2021 08:11:38 GMT-05:00, Taylan Kammer <> a écrit :
On 11.03.2021 08:37, Maxime Devos wrote:
On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote:
Damn, sorry about that. I assumed of course that an improperly signed
commit would not be accepted, so I didn't pay any special mind.

However, I also assumed that adding a new GPG key to my
account would be sufficient.

"guix pull" only looks at the git repo (the .guix-authorizations file + the
keyring branch), and not anything else provided by savannah. Doing so would
introduce an additional point where the "guix pull" mechanism could be
compromised. The git repository could as well have been hosted at

(See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’ and
‘7.4 Invoking ‘guix git authenticate’’).

Thanks, makes sense.

I'm hopping workstations recently, and my general habit is to create new
keys on each machine I'm using and register them where ever needed.
(E.g. .ssh/authorized_keys on machines I access, GitHub account, etc.)

I guess I shouldn't do that with Guix push access and instead keep a GPG
key on a USB drive or such.

- Taylan

reply via email to

[Prev in Thread] Current Thread [Next in Thread]