[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations
From: |
Andrew Tropin |
Subject: |
Re: [POSTMORTEM] Subkey is not authorized by .guix-authorizations |
Date: |
Mon, 05 Sep 2022 10:07:25 +0300 |
On 2022-09-02 15:23, Ludovic Courtès wrote:
> Hello!
>
> I’m late to the party, but thanks a lot for sending this analysis!
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> * What could be done better?
>> - guix pull could be done from local checkout, before pushing.
>
> Setting a pre-push hook that invokes ‘guix git authenticate’, as
> recommended in the manual (info "(guix) Commit Access"), should be
> enough: ‘git push’ would just fail in that situation.
For some reason I thought it does git verify-commit, which I used
manually to check if commit is signed, but it does make authenticate,
which of course works the other way. Missed it, my bad.
I have elaborated on this topic a little more in the manual.
From e510ea1595c54bec788485f0638967d457afaf3d Mon Sep 17 00:00:00 2001
From: Andrew Tropin <andrew@trop.in>
Date: Mon, 5 Sep 2022 09:46:23 +0300
Subject: [PATCH] doc: Add more info about commits signature local
verification.
* doc/contributing.texi (Commit Access): Add more info about commits signature
local verification.
---
doc/contributing.texi | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/doc/contributing.texi b/doc/contributing.texi
index b1d236c011..17a54f94cc 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -1627,14 +1627,23 @@ git config commit.gpgsign true
git config user.signingkey CABBA6EA1DC0FF33
@end example
-You can prevent yourself from accidentally pushing unsigned commits to
-Savannah by using the pre-push Git hook located at
-@file{etc/git/pre-push}:
+To check that commits are signed with correct key, use:
+
+@example
+make authenticate
+@end example
+
+You can prevent yourself from accidentally pushing unsigned or signed
+with the wrong key commits to Savannah by using the pre-push Git hook
+located at @file{etc/git/pre-push}:
@example
cp etc/git/pre-push .git/hooks/pre-push
@end example
+It additionally calls @code{make check-channel-news} to be sure
+@file{news.scm} file is correct.
+
@subsection Commit Policy
If you get commit access, please make sure to follow
--
2.37.2
>> - Accept subkey on guix pull if master key is in .guix-authorizations.
>
> Reported at <https://issues.guix.gnu.org/57091>.
>
>> - Add pre-push hook, which checks authorization on Savannah.
>
> That one is difficult: Guix is not installed on those machines.
>
> Another option would be to push to a different machine, one that we
> control, and make Savannah a mirror of that one.
It can work, but looks fragile.
>
> Thoughts?
Let's ask savannah admins if it possible to install guix on those
machines and add pre-receive/update hook? If not, we will look for
other options.
--
Best regards,
Andrew Tropin
signature.asc
Description: PGP signature