guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations


From: Andrew Tropin
Subject: Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations
Date: Mon, 05 Sep 2022 10:07:25 +0300

On 2022-09-02 15:23, Ludovic Courtès wrote:

> Hello!
>
> I’m late to the party, but thanks a lot for sending this analysis!
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> * What could be done better?
>> - guix pull could be done from local checkout, before pushing.
>
> Setting a pre-push hook that invokes ‘guix git authenticate’, as
> recommended in the manual (info "(guix) Commit Access"), should be
> enough: ‘git push’ would just fail in that situation.

For some reason I thought it does git verify-commit, which I used
manually to check if commit is signed, but it does make authenticate,
which of course works the other way.  Missed it, my bad.

I have elaborated on this topic a little more in the manual.
From e510ea1595c54bec788485f0638967d457afaf3d Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Mon, 5 Sep 2022 09:46:23 +0300
Subject: [PATCH] doc: Add more info about commits signature local
 verification.

* doc/contributing.texi (Commit Access): Add more info about commits signature
local verification.
---
 doc/contributing.texi | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/doc/contributing.texi b/doc/contributing.texi
index b1d236c011..17a54f94cc 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -1627,14 +1627,23 @@ git config commit.gpgsign true
 git config user.signingkey CABBA6EA1DC0FF33
 @end example
 
-You can prevent yourself from accidentally pushing unsigned commits to
-Savannah by using the pre-push Git hook located at
-@file{etc/git/pre-push}:
+To check that commits are signed with correct key, use:
+
+@example
+make authenticate
+@end example
+
+You can prevent yourself from accidentally pushing unsigned or signed
+with the wrong key commits to Savannah by using the pre-push Git hook
+located at @file{etc/git/pre-push}:
 
 @example
 cp etc/git/pre-push .git/hooks/pre-push
 @end example
 
+It additionally calls @code{make check-channel-news} to be sure
+@file{news.scm} file is correct.
+
 @subsection Commit Policy
 
 If you get commit access, please make sure to follow
-- 
2.37.2

>> - Accept subkey on guix pull if master key is in .guix-authorizations.
>
> Reported at <https://issues.guix.gnu.org/57091>.
>
>> - Add pre-push hook, which checks authorization on Savannah.
>
> That one is difficult: Guix is not installed on those machines.
>
> Another option would be to push to a different machine, one that we
> control, and make Savannah a mirror of that one.

It can work, but looks fragile.

>
> Thoughts?

Let's ask savannah admins if it possible to install guix on those
machines and add pre-receive/update hook?  If not, we will look for
other options.

-- 
Best regards,
Andrew Tropin

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]