[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Commit pushed to master with unauthorised signature

From: Leo Famulari
Subject: Re: Commit pushed to master with unauthorised signature
Date: Thu, 11 Mar 2021 14:16:35 -0500

On Thu, Mar 11, 2021 at 12:15:19AM +0100, Taylan Kammer wrote:
> Damn, sorry about that.  I assumed of course that an improperly signed
> commit would not be accepted, so I didn't pay any special mind.

The security model is based on the client-side, i.e. `guix pull`. That
way, we don't have to trust the Git repo. We do want to improve the repo
so that it's not possible to push commits signed with unauthorized keys,
but that hasn't been done yet.
> However, I also assumed that adding a new GPG key to my
> account would be sufficient.  I did that via the web interface, and
> ensured that the encryption test is successful.  The commit is signed
> with that new GPG key.

Adding your key(s) to your Savannah account is a required step...

> Are the GPG keys added to one's Savannah account unrelated to commit
> signing in the Guix repo, or are they not automatically synced, or is
> this a further bug?..

... but, we have a new code authentication system, described in the
manual section Specifying Channel Authorizations:

Basically, committers' keys must be added to the .guix-authorizations
file in the Git repo before their work will be accepted by `guix pull`.

We are really happy that you are pushing code again :)

When this issue popped up yesterday, I removed your commit access just
to avoid further broken commits. Concretely, this means that I removed
you from the Guix "group" on Savannah.

However, I want to re-add you as a committer. Please read the manual
sections Commit Access. Especially, the part about the pre-push Git
hook, which would have caught this issue before pushing.

Let me know when you've read the updated committer workflow guidelines
and installed the pre-push Git hook, and we'll add your new key to
.guix-authorizations, re-add you to the Savannah group, and then we can
continue with our happy hacking :)

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]