[PATCH 0/9] Authenticate channels

DoneSubmitted by Ludovic Courtès.
Details
3 participants
  • Ludovic Courtès
  • Maxim Cournoyer
  • zimoun
Owner
unassigned
Severity
normal
L
L
Ludovic Courtès wrote on 8 Jun 2020 23:52
Download
(address . guix-patches@gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20200608215224.2672-1-ludo@gnu.org
Download
Hi Guix!

This patch series does it! It integrates checkout authentication
with (guix channels). Now, ‘guix pull’, ‘guix time-machine’ etc.
automatically authenticate the commits they fetch and raise an
error if they find an unsigned commit or a commit signed by an
unauthorized party¹.

Channel introductions² are implemented but not exposed. Thus,
third-party channels cannot use the authentication mechanism yet.
Conversely, the ‘guix’ channel is authenticated by default.

Any commit in the closure of the introduction’s first commit
is considered authentic (for instance, the commit pointed to
by ‘v0.5’ is considered authentic, even though it’s not even
signed.) Conversely, any commit that does _not_ contain the
introduction’s first commit in its closure is considered
inauthentic.

The patch marked “DROP?” implements “prehistorical authorizations”,
i.e., authorizations for when ‘.guix-authorizations’ didn’t exist
(“make authenticate” does that as well).

Without that patch, we take 87a40d7203a813921b3ef0805c2b46c0026d6c31
(May 5th) as the introduction’s first commit.

In concrete terms, what the patch marked as “DROP?” would buy
us is the ability to merge branches created between ‘v1.0.0’ and
87a40…. I think it’s not that useful, so I’m willing to drop it.
(We can always take it later if we want to.)

There’s a ‘--disable-authentication’ escape hatch for ‘guix pull’,
but not for ‘guix time-machine’ (we’d need to make sure we don’t
cache an inferior that was not authenticated.)

I would much welcome feedback! I’m happy to answer questions if
anything’s unclear. Don’t hesitate, because after that it’ll be
harder to change!

Ludo’.

¹ https://issues.guix.gnu.org/issue/22883#64
² https://issues.guix.gnu.org/issue/22883#69

Ludovic Courtès (9):
git-authenticate: Cache takes a key parameter.
git-authenticate: 'authenticate-commits' takes a #:keyring parameter.
tests: Move OpenPGP helpers to (guix tests gnupg).
channels: 'latest-channel-instance' authenticates Git checkouts.
channels: Make 'validate-pull' call right after clone/pull.
.guix-channel: Add 'keyring-reference'.
channels: Automatically add introduction for the official 'guix'
channel.
pull: Add '--disable-authentication'.
DROP? channels: Add prehistorical authorizations to
<channel-introduction>.

.dir-locals.el | 1 +
.guix-channel | 3 +-
build-aux/git-authenticate.scm | 246 +------------------
doc/guix.texi | 20 +-
guix/channels.scm | 437 +++++++++++++++++++++++++++++++--
guix/git-authenticate.scm | 32 +--
guix/scripts/pull.scm | 24 +-
guix/tests/gnupg.scm | 32 ++-
tests/channels.scm | 128 +++++++++-
tests/git-authenticate.scm | 25 --
10 files changed, 634 insertions(+), 314 deletions(-)

--
2.26.2
L
L
Ludovic Courtès wrote on 9 Jun 2020 00:02
Download
[PATCH 1/9] git-authenticate: Cache takes a key parameter.
(address . 41767@debbugs.gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20200608220256.3267-1-ludo@gnu.org
Download
* guix/git-authenticate.scm (authenticated-commit-cache-file)
(cache-authenticated-commit, previously-authenticated-commits): Add
'key' parameter and honor it.
* build-aux/git-authenticate.scm (git-authenticate): Pass
"channels/guix" as the key.
---
build-aux/git-authenticate.scm | 5 +++--
guix/git-authenticate.scm | 24 ++++++++++++------------
2 files changed, 15 insertions(+), 14 deletions(-)

Toggle diff (75 lines)
diff --git a/build-aux/git-authenticate.scm b/build-aux/git-authenticate.scm
index 5e1fdaaa24..a3d4b40ccf 100644
--- a/build-aux/git-authenticate.scm
+++ b/build-aux/git-authenticate.scm
@@ -252,7 +252,7 @@
          (filter-map (lambda (id)
                        (false-if-exception
                         (commit-lookup repository (string->oid id))))
-                     (previously-authenticated-commits)))
+                     (previously-authenticated-commits "channels/guix")))
 
        (define commits
          ;; Commits to authenticate, excluding the closure of
@@ -274,7 +274,8 @@
                                               #:default-authorizations
                                               %historical-authorized-signing-keys
                                               #:report-progress report)))))
-         (cache-authenticated-commit (oid->string (commit-id end-commit)))
+         (cache-authenticated-commit "channels/guix"
+                                     (oid->string (commit-id end-commit)))
 
          (unless (null? stats)
            (format #t (G_ "Signing statistics:~%"))
diff --git a/guix/git-authenticate.scm b/guix/git-authenticate.scm
index c333717136..6d71228d72 100644
--- a/guix/git-authenticate.scm
+++ b/guix/git-authenticate.scm
@@ -272,33 +272,33 @@ The OpenPGP keyring is loaded from KEYRING-REFERENCE in REPOSITORY."
 ;;; Caching.
 ;;;
 
-(define (authenticated-commit-cache-file)
+(define (authenticated-commit-cache-file key)
   "Return the name of the file that contains the cache of
-previously-authenticated commits."
-  (string-append (cache-directory) "/authentication/channels/guix"))
+previously-authenticated commits for KEY."
+  (string-append (cache-directory) "/authentication/" key))
 
-(define (previously-authenticated-commits)
-  "Return the previously-authenticated commits as a list of commit IDs (hex
-strings)."
+(define (previously-authenticated-commits key)
+  "Return the previously-authenticated commits under KEY as a list of commit
+IDs (hex strings)."
   (catch 'system-error
     (lambda ()
-      (call-with-input-file (authenticated-commit-cache-file)
+      (call-with-input-file (authenticated-commit-cache-file key)
         read))
     (lambda args
       (if (= ENOENT (system-error-errno args))
           '()
           (apply throw args)))))
 
-(define (cache-authenticated-commit commit-id)
-  "Record in ~/.cache COMMIT-ID and its closure as authenticated (only
-COMMIT-ID is written to cache, though)."
+(define (cache-authenticated-commit key commit-id)
+  "Record in ~/.cache, under KEY, COMMIT-ID and its closure as
+authenticated (only COMMIT-ID is written to cache, though)."
   (define %max-cache-length
     ;; Maximum number of commits in cache.
     200)
 
   (let ((lst  (delete-duplicates
-               (cons commit-id (previously-authenticated-commits))))
-        (file (authenticated-commit-cache-file)))
+               (cons commit-id (previously-authenticated-commits key))))
+        (file (authenticated-commit-cache-file key)))
     (mkdir-p (dirname file))
     (with-atomic-file-output file
       (lambda (port)
-- 
2.26.2
L
L
Ludovic Courtès wrote on 9 Jun 2020 00:02
Download
[PATCH 2/9] git-authenticate: 'authenticate-commits' takes a #:keyring parameter.
(address . 41767@debbugs.gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20200608220256.3267-2-ludo@gnu.org
Download
* guix/git-authenticate.scm (authenticate-commits): Add #:keyring
parameter.
---
guix/git-authenticate.scm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

Toggle diff (24 lines)
diff --git a/guix/git-authenticate.scm b/guix/git-authenticate.scm
index 6d71228d72..4795ccf12a 100644
--- a/guix/git-authenticate.scm
+++ b/guix/git-authenticate.scm
@@ -248,13 +248,13 @@ an OpenPGP keyring."
                                #:key
                                (default-authorizations '())
                                (keyring-reference "keyring")
+                               (keyring (load-keyring-from-reference
+                                         repository keyring-reference))
                                (report-progress (const #t)))
   "Authenticate COMMITS, a list of commit objects, calling REPORT-PROGRESS for
 each of them.  Return an alist showing the number of occurrences of each key.
-The OpenPGP keyring is loaded from KEYRING-REFERENCE in REPOSITORY."
-  (define keyring
-    (load-keyring-from-reference repository keyring-reference))
-
+If KEYRING is omitted, the OpenPGP keyring is loaded from KEYRING-REFERENCE in
+REPOSITORY."
   (fold (lambda (commit stats)
           (report-progress)
           (let ((signer (authenticate-commit repository commit keyring
-- 
2.26.2
L
L
Ludovic Courtès wrote on 9 Jun 2020 00:02
Download
[PATCH 3/9] tests: Move OpenPGP helpers to (guix tests gnupg).
(address . 41767@debbugs.gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20200608220256.3267-3-ludo@gnu.org
Download
* tests/git-authenticate.scm (key-id): Remove.
(%ed25519-public-key-file, %ed25519-secret-key-file)
(%ed25519bis-public-key-file, %ed25519bis-secret-key-file)
(read-openpgp-packet, key-fingerprint): Move to...
* guix/tests/gnupg.scm: ... here.
---
guix/tests/gnupg.scm | 32 +++++++++++++++++++++++++++++++-
tests/git-authenticate.scm | 25 -------------------------
2 files changed, 31 insertions(+), 26 deletions(-)

Toggle diff (90 lines)
diff --git a/guix/tests/gnupg.scm b/guix/tests/gnupg.scm
index 47c858d232..eb8ff63a43 100644
--- a/guix/tests/gnupg.scm
+++ b/guix/tests/gnupg.scm
@@ -17,12 +17,23 @@
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (guix tests gnupg)
+  #:use-module (guix openpgp)
   #:use-module (guix utils)
   #:use-module (guix build utils)
+  #:use-module (rnrs io ports)
   #:use-module (ice-9 match)
   #:export (gpg-command
             gpgconf-command
-            with-fresh-gnupg-setup))
+            with-fresh-gnupg-setup
+
+            %ed25519-public-key-file
+            %ed25519-secret-key-file
+            %ed25519bis-public-key-file
+            %ed25519bis-secret-key-file
+
+            read-openpgp-packet
+            key-fingerprint
+            key-id))
 
 (define gpg-command
   (make-parameter "gpg"))
@@ -50,3 +61,22 @@ listed in IMPORTED, and only them, have been imported.  This sets 'GNUPGHOME'
 such that the user's real GnuPG files are left untouched.  The 'gpg-agent'
 process is terminated afterwards."
   (call-with-fresh-gnupg-setup imported (lambda () exp ...)))
+
+(define %ed25519-public-key-file
+  (search-path %load-path "tests/ed25519.key"))
+(define %ed25519-secret-key-file
+  (search-path %load-path "tests/ed25519.sec"))
+(define %ed25519bis-public-key-file
+  (search-path %load-path "tests/ed25519bis.key"))
+(define %ed25519bis-secret-key-file
+  (search-path %load-path "tests/ed25519bis.sec"))
+
+(define (read-openpgp-packet file)
+  (get-openpgp-packet
+   (open-bytevector-input-port
+    (call-with-input-file file read-radix-64))))
+
+(define key-fingerprint
+  (compose openpgp-format-fingerprint
+           openpgp-public-key-fingerprint
+           read-openpgp-packet))
diff --git a/tests/git-authenticate.scm b/tests/git-authenticate.scm
index 84689d628e..d713fa6a22 100644
--- a/tests/git-authenticate.scm
+++ b/tests/git-authenticate.scm
@@ -32,31 +32,6 @@
 
 ;; Test the (guix git-authenticate) tools.
 
-(define %ed25519-public-key-file
-  (search-path %load-path "tests/ed25519.key"))
-(define %ed25519-secret-key-file
-  (search-path %load-path "tests/ed25519.sec"))
-(define %ed25519bis-public-key-file
-  (search-path %load-path "tests/ed25519bis.key"))
-(define %ed25519bis-secret-key-file
-  (search-path %load-path "tests/ed25519bis.sec"))
-
-(define (read-openpgp-packet file)
-  (get-openpgp-packet
-   (open-bytevector-input-port
-    (call-with-input-file file read-radix-64))))
-
-(define key-fingerprint
-  (compose openpgp-format-fingerprint
-           openpgp-public-key-fingerprint
-           read-openpgp-packet))
-
-(define (key-id file)
-  (define id
-    (openpgp-public-key-id (read-openpgp-packet)))
-
-  (string-pad (number->string id 16) 16 #\0))
-
 (define (gpg+git-available?)
   (and (which (git-command))
        (which (gpg-command)) (which (gpgconf-command))))
-- 
2.26.2
L
L
Ludovic Courtès wrote on 9 Jun 2020 00:02
Download
[PATCH 5/9] channels: Make 'validate-pull' call right after clone/pull.
(address . 41767@debbugs.gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20200608220256.3267-5-ludo@gnu.org
Download
This should come before patching, authentication, etc.

* guix/channels.scm (latest-channel-instance): Add #:validate-pull
parameter and honor it. Return a single value: the instance.
(ensure-forward-channel-update): Change 'instance' parameter to 'commit'
and adjust accordingly.
(latest-channel-instances): Adjust to 'latest-channel-instance' changes.
* guix/scripts/pull.scm (warn-about-backward-updates): Change 'instance'
parameter to 'commit' and adjust accordingly.
* tests/channels.scm ("latest-channel-instances #:validate-pull"):
Likewise.
---
guix/channels.scm | 37 ++++++++++++++++++++-----------------
guix/scripts/pull.scm | 10 ++++------
tests/channels.scm | 4 ++--
3 files changed, 26 insertions(+), 25 deletions(-)

Toggle diff (128 lines)
diff --git a/guix/channels.scm b/guix/channels.scm
index c2ea0e26ff..6047b51010 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -376,9 +376,12 @@ commits ~a to ~a (~h new commits)...~%")
 
 (define* (latest-channel-instance store channel
                                   #:key (patches %patches)
-                                  starting-commit)
-  "Return two values: the latest channel instance for CHANNEL, and its
-relation to STARTING-COMMIT when provided."
+                                  starting-commit
+                                  (validate-pull
+                                   ensure-forward-channel-update))
+  "Return the latest channel instance for CHANNEL.  When STARTING-COMMIT is
+true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and
+their relation."
   (define (dot-git? file stat)
     (and (string=? (basename file) ".git")
          (eq? 'directory (stat:type stat))))
@@ -387,6 +390,9 @@ relation to STARTING-COMMIT when provided."
                 (update-cached-checkout (channel-url channel)
                                         #:ref (channel-reference channel)
                                         #:starting-commit starting-commit)))
+    (when relation
+      (validate-pull channel starting-commit commit relation))
+
     (if (channel-introduction channel)
         (authenticate-channel channel checkout commit)
         ;; TODO: Warn for all the channels once the authentication interface
@@ -403,12 +409,11 @@ relation to STARTING-COMMIT when provided."
     (let* ((name     (url+commit->name (channel-url channel) commit))
            (checkout (add-to-store store name #t "sha256" checkout
                                    #:select? (negate dot-git?))))
-      (values (channel-instance channel commit checkout)
-              relation))))
+      (channel-instance channel commit checkout))))
 
-(define (ensure-forward-channel-update channel start instance relation)
+(define (ensure-forward-channel-update channel start commit relation)
   "Raise an error if RELATION is not 'ancestor, meaning that START is not an
-ancestor of the commit in INSTANCE, unless CHANNEL specifies a commit.
+ancestor of COMMIT, unless CHANNEL specifies a commit.
 
 This procedure implements a channel update policy meant to be used as a
 #:validate-pull argument."
@@ -422,8 +427,7 @@ This procedure implements a channel update policy meant to be used as a
                          (format #f (G_ "\
 aborting update of channel '~a' to commit ~a, which is not a descendant of ~a")
                                  (channel-name channel)
-                                 (channel-instance-commit instance)
-                                 start))))
+                                 commit start))))
 
              ;; If the user asked for a specific commit, they might want
              ;; that to happen nevertheless, so tell them about the
@@ -482,14 +486,13 @@ depending on the policy it implements."
                              (G_ "Updating channel '~a' from Git repository at '~a'...~%")
                              (channel-name channel)
                              (channel-url channel))
-                     (let*-values (((current)
-                                    (current-commit (channel-name channel)))
-                                   ((instance relation)
-                                    (latest-channel-instance store channel
-                                                             #:starting-commit
-                                                             current)))
-                       (when relation
-                         (validate-pull channel current instance relation))
+                     (let* ((current (current-commit (channel-name channel)))
+                            (instance
+                             (latest-channel-instance store channel
+                                                      #:validate-pull
+                                                      validate-pull
+                                                      #:starting-commit
+                                                      current)))
 
                        (let-values (((new-instances new-channels)
                                      (loop (channel-instance-dependencies instance)
diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index c386d81b8e..d3d0d2bd64 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -195,20 +195,18 @@ Download and deploy the latest version of Guix.\n"))
 
          %standard-build-options))
 
-(define (warn-about-backward-updates channel start instance relation)
-  "Warn about non-forward updates of CHANNEL from START to INSTANCE, without
+(define (warn-about-backward-updates channel start commit relation)
+  "Warn about non-forward updates of CHANNEL from START to COMMIT, without
 aborting."
   (match relation
     ((or 'ancestor 'self)
      #t)
     ('descendant
      (warning (G_ "rolling back channel '~a' from ~a to ~a~%")
-              (channel-name channel) start
-              (channel-instance-commit instance)))
+              (channel-name channel) start commit))
     ('unrelated
      (warning (G_ "moving channel '~a' from ~a to unrelated commit ~a~%")
-              (channel-name channel) start
-              (channel-instance-commit instance)))))
+              (channel-name channel) start commit))))
 
 (define* (display-profile-news profile #:key concise?
                                current-is-newer?)
diff --git a/tests/channels.scm b/tests/channels.scm
index 2c857083e9..5f13a48ec1 100644
--- a/tests/channels.scm
+++ b/tests/channels.scm
@@ -212,12 +212,12 @@
                                  (commit (oid->string (commit-id commit2)))))
                (old     (channel (inherit spec)
                                  (commit (oid->string (commit-id commit1))))))
-          (define (validate-pull channel current instance relation)
+          (define (validate-pull channel current commit relation)
             (return (and (eq? channel old)
                          (string=? (oid->string (commit-id commit2))
                                    current)
                          (string=? (oid->string (commit-id commit1))
-                                   (channel-instance-commit instance))
+                                   commit)
                          relation)))
 
           (with-store store
-- 
2.26.2
L
L
Ludovic Courtès wrote on 9 Jun 2020 00:02
Download
[PATCH 4/9] channels: 'latest-channel-instance' authenticates Git checkouts.
(address . 41767@debbugs.gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20200608220256.3267-4-ludo@gnu.org
Download
Fixes https://bugs.gnu.org/22883.

* guix/channels.scm (<channel>)[introduction]: New field.
(<channel-introduction>): New record type.
(%guix-channel-introduction): New variable.
(%default-channels): Use it.
(<channel-metadata>)[keyring-reference]: New field.
(%default-keyring-reference): New variable.
(read-channel-metadata, read-channel-metadata-from-source): Initialize
the 'keyring-reference' field.
(commit-short-id, verify-introductory-commit)
(authenticate-channel): New procedures.
(latest-channel-instance): Call 'authenticate-channel' when CHANNEL has
an introduction.
* tests/channels.scm (gpg+git-available?, commit-id-string): New
procedures.
("authenticate-channel, wrong first commit signer"):
("authenticate-channel, .guix-authorizations"): New tests.
* doc/guix.texi (Invoking guix pull): Mention authentication.
---
.dir-locals.el | 1 +
doc/guix.texi | 6 +-
guix/channels.scm | 182 +++++++++++++++++++++++++++++++++++++++++++--
tests/channels.scm | 122 ++++++++++++++++++++++++++++++
4 files changed, 304 insertions(+), 7 deletions(-)

Toggle diff (469 lines)
diff --git a/.dir-locals.el b/.dir-locals.el
index dc8bc0e437..7ac1eb7509 100644
--- a/.dir-locals.el
+++ b/.dir-locals.el
@@ -95,6 +95,7 @@
    (eval . (put 'eventually 'scheme-indent-function 1))
 
    (eval . (put 'call-with-progress-reporter 'scheme-indent-function 1))
+   (eval . (put 'with-repository 'scheme-indent-function 2))
    (eval . (put 'with-temporary-git-repository 'scheme-indent-function 2))
    (eval . (put 'with-environment-variables 'scheme-indent-function 1))
    (eval . (put 'with-fresh-gnupg-setup 'scheme-indent-function 1))
diff --git a/doc/guix.texi b/doc/guix.texi
index 056bf011f6..6fcb47970b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -3719,13 +3719,17 @@ this option is primarily useful when the daemon was running with
 @cindex updating Guix
 @cindex @command{guix pull}
 @cindex pull
+@cindex security, @command{guix pull}
+@cindex authenticity, of code obtained with @command{guix pull}
 Packages are installed or upgraded to the latest version available in
 the distribution currently available on your local machine.  To update
 that distribution, along with the Guix tools, you must run @command{guix
 pull}: the command downloads the latest Guix source code and package
 descriptions, and deploys it.  Source code is downloaded from a
 @uref{https://git-scm.com, Git} repository, by default the official
-GNU@tie{}Guix repository, though this can be customized.
+GNU@tie{}Guix repository, though this can be customized.  @command{guix
+pull} ensures that the code it downloads is @emph{authentic} by
+verifying that commits are signed by Guix developers.
 
 Specifically, @command{guix pull} downloads code from the @dfn{channels}
 (@pxref{Channels}) specified by one of the followings, in this order:
diff --git a/guix/channels.scm b/guix/channels.scm
index 84c47fc0d0..c2ea0e26ff 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -21,6 +21,11 @@
 (define-module (guix channels)
   #:use-module (git)
   #:use-module (guix git)
+  #:use-module (guix git-authenticate)
+  #:use-module ((guix openpgp)
+                #:select (openpgp-public-key-fingerprint
+                          openpgp-format-fingerprint))
+  #:use-module (guix base16)
   #:use-module (guix records)
   #:use-module (guix gexp)
   #:use-module (guix modules)
@@ -28,6 +33,7 @@
   #:use-module (guix monads)
   #:use-module (guix profiles)
   #:use-module (guix packages)
+  #:use-module (guix progress)
   #:use-module (guix derivations)
   #:use-module (guix combinators)
   #:use-module (guix diagnostics)
@@ -48,17 +54,23 @@
   #:autoload   (guix self) (whole-package make-config.scm)
   #:autoload   (guix inferior) (gexp->derivation-in-inferior) ;FIXME: circular dep
   #:autoload   (guix quirks) (%quirks %patches applicable-patch? apply-patch)
+  #:use-module (ice-9 format)
   #:use-module (ice-9 match)
   #:use-module (ice-9 vlist)
   #:use-module ((ice-9 rdelim) #:select (read-string))
+  #:use-module ((rnrs bytevectors) #:select (bytevector=?))
   #:export (channel
             channel?
             channel-name
             channel-url
             channel-branch
             channel-commit
+            channel-introduction
             channel-location
 
+            channel-introduction?
+            ;; <channel-introduction> accessors purposefully omitted for now.
+
             %default-channels
             guix-channel?
 
@@ -67,6 +79,7 @@
             channel-instance-commit
             channel-instance-checkout
 
+            authenticate-channel
             latest-channel-instances
             checkout->channel-instance
             latest-channel-derivation
@@ -104,15 +117,44 @@
   (url       channel-url)
   (branch    channel-branch (default "master"))
   (commit    channel-commit (default #f))
+  (introduction channel-introduction (default #f))
   (location  channel-location
              (default (current-source-location)) (innate)))
 
+;; Channel introductions.  A "channel introduction" provides a commit/signer
+;; pair that specifies the first commit of the authentication process as well
+;; as its signer's fingerprint.  The pair must be signed by the signer of that
+;; commit so that only them may emit this introduction.  Introductions are
+;; used to bootstrap trust in a channel.
+(define-record-type <channel-introduction>
+  (make-channel-introduction first-signed-commit first-commit-signer
+                             signature)
+  channel-introduction?
+  (first-signed-commit  channel-introduction-first-signed-commit) ;hex string
+  (first-commit-signer  channel-introduction-first-commit-signer) ;bytevector
+  (signature            channel-introduction-signature))          ;string
+
+(define %guix-channel-introduction
+  ;; Introduction of the official 'guix channel.  The chosen commit is the
+  ;; first one that introduces '.guix-authorizations' on the 'core-updates'
+  ;; branch that was eventually merged in 'master'.  Any branch starting
+  ;; before that commit cannot be merged or it will be rejected by 'guix pull'
+  ;; & co.
+  (make-channel-introduction
+   "87a40d7203a813921b3ef0805c2b46c0026d6c31"
+   (base16-string->bytevector
+    (string-downcase
+     (string-filter char-set:hex-digit            ;mbakke
+                    "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA")))
+   #f))                   ;TODO: Add an intro signature so it can be exported.
+
 (define %default-channels
   ;; Default list of channels.
   (list (channel
          (name 'guix)
          (branch "master")
-         (url "https://git.savannah.gnu.org/git/guix.git"))))
+         (url "https://git.savannah.gnu.org/git/guix.git")
+         (introduction %guix-channel-introduction))))
 
 (define (guix-channel? channel)
   "Return true if CHANNEL is the 'guix' channel."
@@ -126,11 +168,16 @@
   (checkout  channel-instance-checkout))
 
 (define-record-type <channel-metadata>
-  (channel-metadata directory dependencies news-file)
+  (channel-metadata directory dependencies news-file keyring-reference)
   channel-metadata?
   (directory     channel-metadata-directory)      ;string with leading slash
   (dependencies  channel-metadata-dependencies)   ;list of <channel>
-  (news-file     channel-metadata-news-file))     ;string | #f
+  (news-file     channel-metadata-news-file)      ;string | #f
+  (keyring-reference channel-metadata-keyring-reference)) ;string
+
+(define %default-keyring-reference
+  ;; Default value of the 'keyring-reference' field.
+  "keyring")
 
 (define (channel-reference channel)
   "Return the \"reference\" for CHANNEL, an sexp suitable for
@@ -147,7 +194,10 @@ if valid metadata could not be read from PORT."
     (('channel ('version 0) properties ...)
      (let ((directory    (and=> (assoc-ref properties 'directory) first))
            (dependencies (or (assoc-ref properties 'dependencies) '()))
-           (news-file    (and=> (assoc-ref properties 'news-file) first)))
+           (news-file    (and=> (assoc-ref properties 'news-file) first))
+           (keyring-reference
+            (or (and=> (assoc-ref properties 'keyring-reference) first)
+                %default-keyring-reference)))
        (channel-metadata
         (cond ((not directory) "/")               ;directory
               ((string-prefix? "/" directory) directory)
@@ -164,7 +214,8 @@ if valid metadata could not be read from PORT."
                     (url url)
                     (commit (get 'commit))))))
              dependencies)
-        news-file)))                              ;news-file
+        news-file
+        keyring-reference)))
     ((and ('channel ('version version) _ ...) sexp)
      (raise (condition
              (&message (message "unsupported '.guix-channel' version"))
@@ -188,7 +239,7 @@ doesn't exist."
         read-channel-metadata))
     (lambda args
       (if (= ENOENT (system-error-errno args))
-          (channel-metadata "/" '() #f)
+          (channel-metadata "/" '() #f %default-keyring-reference)
           (apply throw args)))))
 
 (define (channel-instance-metadata instance)
@@ -212,6 +263,117 @@ result is unspecified."
          (apply-patch patch checkout))
        (loop rest)))))
 
+(define commit-short-id
+  (compose (cut string-take <> 7) oid->string commit-id))
+
+(define (verify-introductory-commit repository introduction keyring)
+  "Raise an exception if the first commit described in INTRODUCTION doesn't
+have the expected signer."
+  (define commit-id
+    (channel-introduction-first-signed-commit introduction))
+
+  (define actual-signer
+    (openpgp-public-key-fingerprint
+     (commit-signing-key repository (string->oid commit-id)
+                         keyring)))
+
+  (define expected-signer
+    (channel-introduction-first-commit-signer introduction))
+
+  (unless (bytevector=? expected-signer actual-signer)
+    (raise (condition
+            (&message
+             (message (format #f (G_ "initial commit ~a is signed by '~a' \
+instead of '~a'")
+                              commit-id
+                              (openpgp-format-fingerprint actual-signer)
+                              (openpgp-format-fingerprint expected-signer))))))))
+
+(define* (authenticate-channel channel checkout commit
+                               #:key (keyring-reference-prefix "origin/"))
+  "Authenticate the given COMMIT of CHANNEL, available at CHECKOUT, a
+directory containing a CHANNEL checkout.  Raise an error if authentication
+fails."
+  ;; XXX: Too bad we need to re-open CHECKOUT.
+  (with-repository checkout repository
+    (define start-commit
+      (commit-lookup repository
+                     (string->oid
+                      (channel-introduction-first-signed-commit
+                       (channel-introduction channel)))))
+
+    (define end-commit
+      (commit-lookup repository (string->oid commit)))
+
+    (define cache-key
+      (string-append "channels/" (symbol->string (channel-name channel))))
+
+    (define keyring-reference
+      (channel-metadata-keyring-reference
+       (read-channel-metadata-from-source checkout)))
+
+    (define keyring
+      (load-keyring-from-reference repository
+                                   (string-append keyring-reference-prefix
+                                                  keyring-reference)))
+
+    (define authenticated-commits
+      ;; Previously-authenticated commits that don't need to be checked again.
+      (filter-map (lambda (id)
+                    (false-if-exception
+                     (commit-lookup repository (string->oid id))))
+                  (previously-authenticated-commits cache-key)))
+
+    (define commits
+      ;; Commits to authenticate, excluding the closure of
+      ;; AUTHENTICATED-COMMITS.
+      (commit-difference end-commit start-commit
+                         authenticated-commits))
+
+    (define reporter
+      (progress-reporter/bar (length commits)))
+
+    ;; When COMMITS is empty, it's either because AUTHENTICATED-COMMITS
+    ;; contains END-COMMIT or because END-COMMIT is not a descendant of
+    ;; START-COMMIT.  Check that.
+    (if (null? commits)
+        (match (commit-relation start-commit end-commit)
+          ((or 'self 'ancestor 'descendant) #t)   ;nothing to do!
+          ('unrelated
+           (raise
+            (condition
+             (&message
+              (message
+               (format #f (G_ "'~a' is not related to introductory \
+commit of channel '~a'~%")
+                       (oid->string (commit-id end-commit))
+                       (channel-name channel))))))))
+        (begin
+          (format (current-error-port)
+                  (G_ "Authenticating channel '~a', \
+commits ~a to ~a (~h new commits)...~%")
+                  (channel-name channel)
+                  (commit-short-id start-commit)
+                  (commit-short-id end-commit)
+                  (length commits))
+
+          ;; If it's our first time, verify CHANNEL's introductory commit.
+          (when (null? authenticated-commits)
+            (verify-introductory-commit repository
+                                        (channel-introduction channel)
+                                        keyring))
+
+          (call-with-progress-reporter reporter
+            (lambda (report)
+              (authenticate-commits repository commits
+                                    #:keyring keyring
+                                    #:report-progress report)))
+
+          (unless (null? commits)
+            (cache-authenticated-commit cache-key
+                                        (oid->string
+                                         (commit-id end-commit))))))))
+
 (define* (latest-channel-instance store channel
                                   #:key (patches %patches)
                                   starting-commit)
@@ -225,6 +387,14 @@ relation to STARTING-COMMIT when provided."
                 (update-cached-checkout (channel-url channel)
                                         #:ref (channel-reference channel)
                                         #:starting-commit starting-commit)))
+    (if (channel-introduction channel)
+        (authenticate-channel channel checkout commit)
+        ;; TODO: Warn for all the channels once the authentication interface
+        ;; is public.
+        (when (guix-channel? channel)
+          (warning (G_ "the code of channel '~a' cannot be authenticated~%")
+                   (channel-name channel))))
+
     (when (guix-channel? channel)
       ;; Apply the relevant subset of PATCHES directly in CHECKOUT.  This is
       ;; safe to do because 'switch-to-ref' eventually does a hard reset.
diff --git a/tests/channels.scm b/tests/channels.scm
index 3b141428c8..2c857083e9 100644
--- a/tests/channels.scm
+++ b/tests/channels.scm
@@ -31,15 +31,28 @@
   #:use-module ((guix build utils) #:select (which))
   #:use-module (git)
   #:use-module (guix git)
+  #:use-module (guix git-authenticate)
+  #:use-module (guix openpgp)
   #:use-module (guix tests git)
+  #:use-module (guix tests gnupg)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
   #:use-module (srfi srfi-64)
+  #:use-module (rnrs bytevectors)
+  #:use-module (rnrs io ports)
   #:use-module (ice-9 control)
   #:use-module (ice-9 match))
 
+(define (gpg+git-available?)
+  (and (which (git-command))
+       (which (gpg-command)) (which (gpgconf-command))))
+
+(define commit-id-string
+  (compose oid->string commit-id))
+
+
 (test-begin "channels")
 
 (define* (make-instance #:key
@@ -389,4 +402,113 @@
                          (channel-news-for-commit channel commit5 commit1))
                     '(#f "tag-for-first-news-entry")))))))
 
+(unless (gpg+git-available?) (test-skip 1))
+(test-assert "authenticate-channel, wrong first commit signer"
+  (with-fresh-gnupg-setup (list %ed25519-public-key-file
+                                %ed25519-secret-key-file
+                                %ed25519bis-public-key-file
+                                %ed25519bis-secret-key-file)
+    (with-temporary-git-repository directory
+        `((add ".guix-channel"
+               ,(object->string
+                 '(channel (version 0)
+                           (keyring-reference "master"))))
+          (add ".guix-authorizations"
+               ,(object->string
+                 `(authorizations (version 0)
+                                  ((,(key-fingerprint
+                                      %ed25519-public-key-file)
+                                    (name "Charlie"))))))
+          (add "signer.key" ,(call-with-input-file %ed25519-public-key-file
+                               get-string-all))
+          (commit "first commit"
+                  (signer ,(key-fingerprint %ed25519-public-key-file))))
+      (with-repository directory repository
+        (let* ((commit1 (find-commit repository "first"))
+               (intro   ((@@ (guix channels) make-channel-introduction)
+                         (commit-id-string commit1)
+                         (openpgp-public-key-fingerprint
+                          (read-openpgp-packet
+                           %ed25519bis-public-key-file)) ;different key
+                         #f))                     ;no signature
+               (channel (channel (name 'example)
+                                 (url (string-append "file://" directory))
+                                 (introduction intro))))
+          (guard (c ((message? c)
+                     (->bool (string-contains (condition-message c)
+                                              "initial commit"))))
+            (authenticate-channel channel directory
+                                  (commit-id-string commit1)
+                                  #:keyring-reference-prefix "")
+            'failed))))))
+
+(unless (gpg+git-available?) (test-skip 1))
+(test-assert "authenticate-channel, .guix-authorizations"
+  (with-fresh-gnupg-setup (list %ed25519-public-key-file
+                                %ed25519-secret-key-file
+                                %ed25519bis-public-key-file
+                                %ed25519bis-secret-key-file)
+    (with-temporary-git-repository directory
+        `((add ".guix-channel"
+               ,(object->string
+                 '(channel (version 0)
+                           (keyring-reference "channel-keyring"))))
+          (add ".guix-authorizations"
+               ,(object->string
+                 `(authorizations (version 0)
+                                  ((,(key-fingerprint
+                                      %ed25519-public-key-file)
+                                    (name "Charlie"))))))
+          (commit "zeroth commit")
+          (add "a.txt" "A")
+          (commit "first commit"
+                  (signer ,(key-fingerprint %ed25519-public-key-file)))
+          (add "b.txt" "B")
+          (commit "second commit"
+                  (signer ,(key-fingerprint %ed25519-public-key-file)))
+          (add "c.txt" "C")
+          (commit "third commit"
+                  (signer ,(key-fingerprint %ed25519bis-public-key-file)))
+          (branch "channel-keyring")
+          (checkout "channel-keyring")
+          (add "signer.key" ,(call-with-input-file %ed25519-public-key-file
+                               get-string-all))
+          (add "other.key" ,(call-with-input-file %ed25519bis-public-key-file
+                              get-string-all))
+          (commit "keyring commit")
+          (checkout "master"))
+      (with-repository directory repository
+        (let* ((commit1 (find-commit repository "first"))
+               (commit2 (find-commit repository "second"))
+               (commit3 (find-commit repository "third"))
+               (intro   ((@@ (guix channels) make-channel-introduction)
+                         (commit-id-string commit1)
+                         (openpgp-public-key-fingerprint
+                          (read-openpgp-packet
+                           %ed25519-public-key-file))
+                         #f))                     ;no signature
+               (channel (channel (name 'example)
+                                 (url (string-append "file://" directory))
+                                 (introduction intro))))
+          ;; COMMIT1 and COMMIT2 are fine.
+          (and (authenticate-channel channel directory
+                                     (commit-id-string commit2)
+                                     #:keyring-reference-prefix "")
+
+               ;; COMMIT3 is signed by an unauthorized key according to its
+               ;; parent's '.guix-authorizations' file.
+               (guard (c ((unauthorized-commit-error? c)
+                          (and (oid=? (git-authentication-error-commit c)
+                                      (commit-id commit3))
+                               (bytevector=?
+                                (openpgp-public-key-fingerprint
+                                 (unauthorized-commit-error-signing-key c))
+                                (openpgp-public-key-fingerprint
+                                 (read-openpgp-packet
+                                  %ed25519bis-public-key-file))))))
+                 (authenticate-channel channel directory
+                                       (commit-id-string commit3)
+                                       #:keyring-reference-prefix "")
+                 'failed)))))))
+
 (test-end "channels")
-- 
2.26.2
L
L
Ludovic Courtès wrote on 9 Jun 2020 00:02
Download
[PATCH 6/9] .guix-channel: Add 'keyring-reference'.
(address . 41767@debbugs.gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20200608220256.3267-6-ludo@gnu.org
Download
* .guix-channel: Add 'keyring-reference'.
---
.guix-channel | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

Toggle diff (13 lines)
diff --git a/.guix-channel b/.guix-channel
index 3e618d79f8..f4459f1de1 100644
--- a/.guix-channel
+++ b/.guix-channel
@@ -2,4 +2,5 @@
 
 (channel
   (version 0)
-  (news-file "etc/news.scm"))
+  (news-file "etc/news.scm")
+  (keyring-reference "keyring"))
-- 
2.26.2
L
L
Ludovic Courtès wrote on 9 Jun 2020 00:02
Download
[PATCH 7/9] channels: Automatically add introduction for the official 'guix' channel.
(address . 41767@debbugs.gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20200608220256.3267-7-ludo@gnu.org
Download
This is useful when people run "guix time-machine -C channels.scm",
where 'channels.scm' misses channel introductions.

* guix/channels.scm (%default-channel-url): New variable.
(%default-channels): Use it.
(ensure-default-introduction): New procedure.
(latest-channel-instance): Call it.
---
guix/channels.scm | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)

Toggle diff (51 lines)
diff --git a/guix/channels.scm b/guix/channels.scm
index 6047b51010..43ddff6f7c 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -148,18 +148,32 @@
                     "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA")))
    #f))                   ;TODO: Add an intro signature so it can be exported.
 
+(define %default-channel-url
+  ;; URL of the default 'guix' channel.
+  "https://git.savannah.gnu.org/git/guix.git")
+
 (define %default-channels
   ;; Default list of channels.
   (list (channel
          (name 'guix)
          (branch "master")
-         (url "https://git.savannah.gnu.org/git/guix.git")
+         (url %default-channel-url)
          (introduction %guix-channel-introduction))))
 
 (define (guix-channel? channel)
   "Return true if CHANNEL is the 'guix' channel."
   (eq? 'guix (channel-name channel)))
 
+(define (ensure-default-introduction chan)
+  "If CHAN represents the \"official\" 'guix' channel and lacks an
+introduction, add it."
+  (if (and (guix-channel? chan)
+           (not (channel-introduction chan))
+           (string=? (channel-url chan) %default-channel-url))
+      (channel (inherit chan)
+               (introduction %guix-channel-introduction))
+      chan))
+
 (define-record-type <channel-instance>
   (channel-instance channel commit checkout)
   channel-instance?
@@ -386,7 +400,9 @@ their relation."
     (and (string=? (basename file) ".git")
          (eq? 'directory (stat:type stat))))
 
-  (let-values (((checkout commit relation)
+  (let-values (((channel)
+                (ensure-default-introduction channel))
+               ((checkout commit relation)
                 (update-cached-checkout (channel-url channel)
                                         #:ref (channel-reference channel)
                                         #:starting-commit starting-commit)))
-- 
2.26.2
L
L
Ludovic Courtès wrote on 9 Jun 2020 00:02
Download
[PATCH 8/9] pull: Add '--disable-authentication'.
(address . 41767@debbugs.gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20200608220256.3267-8-ludo@gnu.org
Download
* guix/channels.scm (latest-channel-instance): Add #:authenticate? and
honor it.
(latest-channel-instances): Likewise.
* guix/scripts/pull.scm (%default-options): Add 'authenticate-channels?'.
(show-help, %options): Add '--disable-authentication'.
(guix-pull): Pass #:authenticate? to 'latest-channel-instances'.
* doc/guix.texi (Invoking guix pull): Document it.
---
doc/guix.texi | 14 ++++++++++++++
guix/channels.scm | 25 +++++++++++++++++--------
guix/scripts/pull.scm | 14 ++++++++++++--
3 files changed, 43 insertions(+), 10 deletions(-)

Toggle diff (146 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 6fcb47970b..8131b3bf0d 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -3927,6 +3927,20 @@ Make sure you understand its security implications before using
 @option{--allow-downgrades}.
 @end quotation
 
+@item --disable-authentication
+Allow pulling channel code without authenticating it.
+
+@cindex authentication, of channel code
+By default, @command{guix pull} authenticates code downloaded from
+channels by verifying that its commits are signed by authorized
+developers, and raises an error if this is not the case.  This option
+instructs it to not perform any such verification.
+
+@quotation Note
+Make sure you understand its security implications before using
+@option{--disable-authentication}.
+@end quotation
+
 @item --system=@var{system}
 @itemx -s @var{system}
 Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of
diff --git a/guix/channels.scm b/guix/channels.scm
index 43ddff6f7c..9e6adda5e9 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -391,11 +391,12 @@ commits ~a to ~a (~h new commits)...~%")
 (define* (latest-channel-instance store channel
                                   #:key (patches %patches)
                                   starting-commit
+                                  (authenticate? #f)
                                   (validate-pull
                                    ensure-forward-channel-update))
   "Return the latest channel instance for CHANNEL.  When STARTING-COMMIT is
 true, call VALIDATE-PULL with CHANNEL, STARTING-COMMIT, the target commit, and
-their relation."
+their relation.  When AUTHENTICATE? is false, CHANNEL is not authenticated."
   (define (dot-git? file stat)
     (and (string=? (basename file) ".git")
          (eq? 'directory (stat:type stat))))
@@ -409,13 +410,15 @@ their relation."
     (when relation
       (validate-pull channel starting-commit commit relation))
 
-    (if (channel-introduction channel)
-        (authenticate-channel channel checkout commit)
-        ;; TODO: Warn for all the channels once the authentication interface
-        ;; is public.
-        (when (guix-channel? channel)
-          (warning (G_ "the code of channel '~a' cannot be authenticated~%")
-                   (channel-name channel))))
+    (if authenticate?
+        (if (channel-introduction channel)
+            (authenticate-channel channel checkout commit)
+            ;; TODO: Warn for all the channels once the authentication interface
+            ;; is public.
+            (when (guix-channel? channel)
+              (warning (G_ "the code of channel '~a' cannot be authenticated~%")
+                       (channel-name channel))))
+        (warning (G_ "channel authentication disabled~%")))
 
     (when (guix-channel? channel)
       ;; Apply the relevant subset of PATCHES directly in CHECKOUT.  This is
@@ -463,11 +466,15 @@ allow non-forward updates."))))))))))
 (define* (latest-channel-instances store channels
                                    #:key
                                    (current-channels '())
+                                   (authenticate? #t)
                                    (validate-pull
                                     ensure-forward-channel-update))
   "Return a list of channel instances corresponding to the latest checkouts of
 CHANNELS and the channels on which they depend.
 
+When AUTHENTICATE? is true, authenticate the subset of CHANNELS that has a
+\"channel introduction\".
+
 CURRENT-CHANNELS is the list of currently used channels.  It is compared
 against the newly-fetched instances of CHANNELS, and VALIDATE-PULL is called
 for each channel update and can choose to emit warnings or raise an error,
@@ -505,6 +512,8 @@ depending on the policy it implements."
                      (let* ((current (current-commit (channel-name channel)))
                             (instance
                              (latest-channel-instance store channel
+                                                      #:authenticate?
+                                                      authenticate?
                                                       #:validate-pull
                                                       validate-pull
                                                       #:starting-commit
diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index d3d0d2bd64..f953957161 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -82,6 +82,7 @@
     (graft? . #t)
     (debug . 0)
     (verbosity . 1)
+    (authenticate-channels? . #t)
     (validate-pull . ,ensure-forward-channel-update)))
 
 (define (show-help)
@@ -97,6 +98,9 @@ Download and deploy the latest version of Guix.\n"))
       --branch=BRANCH    download the tip of the specified BRANCH"))
   (display (G_ "
       --allow-downgrades allow downgrades to earlier channel revisions"))
+  (display (G_ "
+      --disable-authentication
+                         disable channel authentication"))
   (display (G_ "
   -N, --news             display news compared to the previous generation"))
   (display (G_ "
@@ -165,6 +169,9 @@ Download and deploy the latest version of Guix.\n"))
                  (lambda (opt name arg result)
                    (alist-cons 'validate-pull warn-about-backward-updates
                                result)))
+         (option '("disable-authentication") #f #f
+                 (lambda (opt name arg result)
+                   (alist-cons 'authenticate-channels? #f result)))
          (option '(#\p "profile") #t #f
                  (lambda (opt name arg result)
                    (alist-cons 'profile (canonicalize-profile arg)
@@ -771,7 +778,8 @@ Use '~/.config/guix/channels.scm' instead."))
             (channels     (channel-list opts))
             (profile      (or (assoc-ref opts 'profile) %current-profile))
             (current-channels (profile-channels profile))
-            (validate-pull    (assoc-ref opts 'validate-pull)))
+            (validate-pull    (assoc-ref opts 'validate-pull))
+            (authenticate?    (assoc-ref opts 'authenticate-channels?)))
        (cond ((assoc-ref opts 'query)
               (process-query opts profile))
              ((assoc-ref opts 'generation)
@@ -793,7 +801,9 @@ Use '~/.config/guix/channels.scm' instead."))
                                                        #:current-channels
                                                        current-channels
                                                        #:validate-pull
-                                                       validate-pull)))
+                                                       validate-pull
+                                                       #:authenticate?
+                                                       authenticate?)))
                         (format (current-error-port)
                                 (N_ "Building from this channel:~%"
                                     "Building from these channels:~%"
-- 
2.26.2
L
L
Ludovic Courtès wrote on 9 Jun 2020 00:02
Download
[PATCH 9/9] DROP? channels: Add prehistorical authorizations to <channel-introduction>.
(address . 41767@debbugs.gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20200608220256.3267-9-ludo@gnu.org
Download
This allows users to authenticate commits that were made before
'.guix-authorizations' was introduced.

* guix/channels.scm (<channel-introduction>)[prehistorical-authorizations]:
New field.
(%guix-historical-committers): New variable.
(openpgp-fingerprint->bytevector): New procedure.
(%guix-channel-introduction): Add 'prehistorical-authorizations' field.
(authenticate-channel): Honor it. Pass it as #:default-authorizations
to 'authenticate-commits'.
* build-aux/git-authenticate.scm (%historical-committers)
(%historical-authorized-signing-keys, commit-short-id): Remove.
* build-aux/git-authenticate.scm (git-authenticate): Rewrite to use
'authenticate-channel'.
* tests/channels.scm ("authenticate-channel, wrong first commit signer")
("authenticate-channel, .guix-authorizations"): Adjust accordingly.
---
build-aux/git-authenticate.scm | 247 ++-------------------------------
guix/channels.scm | 213 ++++++++++++++++++++++++++--
tests/channels.scm | 2 +
3 files changed, 214 insertions(+), 248 deletions(-)

Toggle diff (551 lines)
diff --git a/build-aux/git-authenticate.scm b/build-aux/git-authenticate.scm
index a3d4b40ccf..a84b79dfe7 100644
--- a/build-aux/git-authenticate.scm
+++ b/build-aux/git-authenticate.scm
@@ -25,6 +25,7 @@
              (guix base16)
              (guix git)
              (guix git-authenticate)
+             (guix channels)
              (guix i18n)
              ((guix openpgp)
               #:select (openpgp-public-key-fingerprint
@@ -37,186 +38,6 @@
              (ice-9 pretty-print))
 
 
-(define %historical-committers
-  ;; List of "historical" committers---people once authorized committers
-  ;; before the '.guix-authorizations' file was created.
-  ;;
-  ;; These are the user names found on
-  ;; <https://savannah.gnu.org/project/memberlist.php?group=guix> along with
-  ;; the fingerprint of the signing (sub)key.
-  '(("andreas"
-     "AD17 A21E F8AE D8F1 CC02  DBD9 F7D5 C9BF 765C 61E3")
-    ("ajgrf"
-     "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5")
-    ("alexvong1995"
-     "306F CB8F 2C01 C25D 29D3  0556 61EF 502E F602 52F2")
-    ("alezost"
-     "4FB9 9F49 2B12 A365 7997  E664 8246 0C08 2A0E E98F")
-    ("ambrevar"
-     "50F3 3E2E 5B0C 3D90 0424  ABE8 9BDC F497 A4BB CC7F")
-    ("apteryx"
-     "27D5 86A4 F890 0854 329F  F09F 1260 E464 82E6 3562")
-    ("arunisaac"
-     "7F73 0343 F2F0 9F3C 77BF  79D3 2E25 EE8B 6180 2BB3")
-    ("atheia"
-     ;; primary: "3B12 9196 AE30 0C3C 0E90  A26F A715 5567 3271 9948"
-     "9A2B 401E D001 0650 1584  BAAC 8BC4 F447 6E8A 8E00")
-    ("bandali"
-     ;; primary: "BE62 7373 8E61 6D6D 1B3A  08E8 A21A 0202 4881 6103"
-     "39B3 3C8D 9448 0D2D DCC2  A498 8B44 A0CD C7B9 56F2")
-    ("bavier"
-     ;; primary: "34FF 38BC D151 25A6 E340  A0B5 3453 2F9F AFCA 8B8E"
-     "A0C5 E352 2EF8 EF5C 64CD  B7F0 FD73 CAC7 19D3 2566")
-    ("beffa"
-     "3774 8024 880F D3FF DCA2  C9AB 5893 6E0E 2F1B 5A4C")
-    ("benwoodcroft"
-     "BCF8 F737 2CED 080A 67EB  592D 2A6A D9F4 AAC2 0DF6")
-    ("biscuolo"
-     "45CC 63B8 5258 C9D5 5F34  B239 D37D 0EA7 CECC 3912")
-    ("boskovits"
-     "7988 3B9F 7D6A 4DBF 3719  0367 2506 A96C CF63 0B21")
-    ("brettgilio"
-     "DFC0 C7F7 9EE6 0CA7 AE55  5E19 6722 43C4 A03F 0EEE")
-    ("carl"
-     ;; primary: "0401 7A2A 6D9A 0CCD C81D  8EC2 96AB 007F 1A7E D999"
-     "09CD D25B 5244 A376 78F6  EEA8 0CC5 2153 1979 91A5")
-    ("cbaines"
-     "3E89 EEE7 458E 720D 9754  E0B2 5E28 A33B 0B84 F577")
-    ("civodul"
-     "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5")
-    ("cwebber"
-     "510A 8628 E2A7 7678 8F8C  709C 4BC0 2592 5FF8 F4D3")
-    ("dannym"
-     ;; primary: "295A F991 6F46 F8A1 34B0  29DA 8086 3842 F0FE D83B"
-     "76CE C6B1 7274 B465 C02D  B3D9 E71A 3554 2C30 BAA5")
-    ("davexunit"
-     "B3C0 DB4D AD73 BA5D 285E  19AE 5143 0234 CEFD 87C3")
-    ("davexunit (2nd)"                            ;FIXME: to be confirmed!
-     "8CCB A7F5 52B9 CBEA E1FB  2915 8328 C747 0FF1 D807")
-    ("daviwil"
-     "53C4 1E6E 41AA FE55 335A  CA5E 446A 2ED4 D940 BF14")
-    ("dvc"
-     "6909 6DFD D702 8BED ACC5  884B C5E0 51C7 9C0B ECDB")
-    ("dvc (old)"
-     "5F43 B681 0437 2F4B A898  A64B 33B9 E9FD E28D 2C23")
-    ("efraim"
-     "A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351")
-    ("efraim (old)"
-     "9157 41FE B22F A4E3 3B6E  8F8D F4C1 D391 7EAC EE93")
-    ("glv"
-     ;; primary: "2453 02B1 BAB1 F867 FDCA  96BC 8F3F 861F 82EB 7A9A"
-     "CBC5 9C66 EC27 B971 7940  6B3E 6BE8 208A DF21 FE3F")
-    ("hoebjo"
-     "2219 43F4 9E9F 276F 9499  3382 BF28 6CB6 593E 5FFD")
-    ("htgoebel"
-     "B943 509D 633E 80DD 27FC  4EED 634A 8DFF D3F6 31DF")
-    ("ipetkov"
-     "7440 26BA 7CA3 C668 E940  1D53 0B43 1E98 3705 6942")
-    ("iyzsong"
-     ;; primary: "66A5 6D9C 9A98 BE7F 719A  B401 2652 5665 AE72 7D37"
-     "0325 78A6 8298 94E7 2AA2  66F5 D415 BF25 3B51 5976")
-
-    ;; https://lists.gnu.org/archive/html/guix-devel/2018-04/msg00229.html
-    ("janneke (old)"
-     "DB34 CB51 D25C 9408 156F  CDD6 A12F 8797 8D70 1B99")
-    ("janneke"
-     "1A85 8392 E331 EAFD B8C2  7FFB F3C1 A0D9 C1D6 5273")
-
-    ("jlicht"
-     ;; primary: "1BA4 08C5 8BF2 0EA7 3179  635A 865D C0A3 DED9 B5D0"
-     "E31D 9DDE EBA5 4A14 8A20  4550 DA45 97F9 47B4 1025")
-    ("jmd"
-     "8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3")
-    ("kkebreau"
-     "83B6 703A DCCA 3B69 4BCE  2DA6 E6A5 EE3C 1946 7A0D")
-    ("leungbk"
-     "45E5 75FA 53EA 8BD6 1BCE  0B4E 3ADC 75F0 13D6 78F9")
-    ("lfam"
-     ;; primary: "4F71 6F9A 8FA2 C80E F1B5  E1BA 5E35 F231 DE1A C5E0"
-     "B051 5948 F1E7 D3C1 B980  38A0 2646 FA30 BACA 7F08")
-    ("lsl88"
-     "2AE3 1395 932B E642 FC0E  D99C 9BED 6EDA 32E5 B0BC")
-    ("marusich"
-     "CBF5 9755 CBE7 E7EF EF18  3FB1 DD40 9A15 D822 469D")
-    ("mbakke"
-     "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA")
-    ("mhw"
-     "D919 0965 CE03 199E AF28  B3BE 7CEF 2984 7562 C516")
-    ("mothacehe"
-     "4008 6A7E 0252 9B60 31FB  8607 8354 7635 3176 9CA6")
-    ("mthl"
-     "F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37")
-    ("nckx"
-     ;; primary: "F5BC 5534 C36F 0087 B39D  36EF 1C9D C4FE B9DB 7C4B"
-     "F5DA 2032 4B87 3D0B 7A38  7672 0DB0 FF88 4F55 6D79")
-    ("nckx (revoked; not compromised)"
-     ;; primary: "F5BC 5534 C36F 0087 B39D  36EF 1C9D C4FE B9DB 7C4B"
-     "7E8F AED0 0944 78EF 72E6  4D16 D889 B0F0 18C5 493C")
-    ("niedzejkob"
-     "E576 BFB2 CF6E B13D F571  33B9 E315 A758 4613 1564")
-    ("ngz"
-     "ED0E F1C8 E126 BA83 1B48  5FE9 DA00 B4F0 48E9 2F2D")
-    ("pelzflorian"
-     "CEF4 CB91 4856 BA38 0A20  A7E2 3008 88CB 39C6 3817")
-    ("pgarlick"
-     ;; primary: "B68B DF22 73F9 DA0E 63C1  8A32 515B F416 9242 D600"
-     "C699 ED09 E51B CE89 FD1D  A078 AAC7 E891 896B 568A")
-    ("phant0mas"
-     "3A86 380E 58A8 B942 8D39  60E1 327C 1EF3 8DF5 4C32")
-    ("reepca"
-     "74D6 A930 F44B 9B84 9EA5  5606 C166 AA49 5F7F 189C")
-    ("rekado"
-     "BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC")
-    ("rhelling"
-     "0154 E1B9 1CC9 D9EF 7764  8DE7 F3A7 27DB 44FC CA36")
-    ("roelj (old)"
-     "17CB 2812 EB63 3DFF 2C7F  0452 C3EC 1DCA 8430 72E1")
-    ("roelj"
-     ;; From commit cc51c03ff867d4633505354819c6d88af88bf919 (March 2020).
-     ;; See <https://lists.gnu.org/archive/html/guix-devel/2020-03/msg00070.html>.
-     "F556 FD94 FB8F 8B87 79E3  6832 CBD0 CD51 38C1 9AFC")
-    ("roptat (old)"
-     "B5FA E628 5B41 3728 B2A0  FAED 4311 1F45 2008 6A0C")
-    ("roptat"
-     ;; From commit 2cbede5935eb6a40173bbdf30a9ad22bf7574c22 (Jan. 2020).  See
-     ;; <https://lists.gnu.org/archive/html/guix-devel/2020-01/msg00499.html>.
-     "1EFB 0909 1F17 D28C CBF9  B13A 53D4 57B2 D636 EE82")
-    ("samplet"
-     ;; primary: "D6B0 C593 DA8C 5EDC A44C  7A58 C336 91F7 1188 B004"
-     "A02C 2D82 0EF4 B25B A6B5  1D90 2AC6 A5EC 1C35 7C59")
-    ("sleep_walker"
-     "77DD AD2D 97F5 31BB C0F3  C7FD DFB5 EB09 AA62 5423")
-    ("snape"
-     "F494 72F4 7A59 00D5 C235  F212 89F9 6D48 08F3 59C7")
-    ("steap"
-     "4E26 CCE9 578E 0828 9855  BDD4 1C79 95D2 D5A3 8336")
-    ("taylanub"
-     "9ADE 9ECF 2B19 C180 9C99  5CEA A1F4 CFCC 5283 6BAC")
-
-    ;; https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00826.html
-    ("thomasd"
-     ;; primary: "1DD1 681F E285 E07F 11DC  0C59 2E15 A6BC D77D 54FD"
-     "3D2C DA58 819C 08C2 A649  D43D 5C3B 064C 724A 5726")
-    ("thomasd (old)"
-     "A5C5 92EA 606E 7106 A6A3  BC08 98B2 1575 91E1 2B08")
-
-    ("toothbrush"
-     "D712 1D73 A40A 7264 9E43  ED7D F284 6B1A 0D32 C442")
-    ("vagrantc"
-     "6580 7361 3BFC C5C7 E2E4  5D45 DC51 8FC8 7F97 16AA")
-    ("wigust"
-     ;; primary: "C955 CC5D C048 7FB1 7966  40A9 199A F6A3 67E9 4ABB"
-     "7238 7123 8EAC EB63 4548  5857 167F 8EA5 001A FA9C")
-    ("wingo"
-     "FF47 8FB2 64DE 32EC 2967  25A3 DDC0 F535 8812 F8F2")))
-
-(define %historical-authorized-signing-keys
-  ;; Fingerprint of historically authorized signing keys.
-  (map (match-lambda
-         ((name fingerprint)
-          (base16-string->bytevector
-           (string-downcase (string-filter char-set:graphic fingerprint)))))
-       %historical-committers))
 
 (define %commits-with-bad-signature
   ;; Commits with a known-bad signature.
@@ -226,73 +47,25 @@
   ;; Commits lacking a signature.
   '())
 
-(define commit-short-id
-  (compose (cut string-take <> 7) oid->string commit-id))
-
 
 ;;;
 ;;; Entry point.
 ;;;
 
 (define (git-authenticate args)
-  (define repository
-    (repository-open "."))
-
   (let loop ((args args))
     (match args
       ((_ start end)
-       (define start-commit
-         (commit-lookup repository (string->oid start)))
-       (define end-commit
-         (commit-lookup repository (string->oid end)))
-
-       (define authenticated-commits
-         ;; Previously-authenticated commits that don't need to be checked
-         ;; again.
-         (filter-map (lambda (id)
-                       (false-if-exception
-                        (commit-lookup repository (string->oid id))))
-                     (previously-authenticated-commits "channels/guix")))
-
-       (define commits
-         ;; Commits to authenticate, excluding the closure of
-         ;; AUTHENTICATED-COMMITS.
-         (commit-difference end-commit start-commit
-                            authenticated-commits))
-
-       (define reporter
-         (progress-reporter/bar (length commits)))
-
-       (format #t (G_ "Authenticating ~a to ~a (~a commits)...~%")
-               (commit-short-id start-commit)
-               (commit-short-id end-commit)
-               (length commits))
-
-       (let ((stats (call-with-progress-reporter reporter
-                      (lambda (report)
-                        (authenticate-commits repository commits
-                                              #:default-authorizations
-                                              %historical-authorized-signing-keys
-                                              #:report-progress report)))))
-         (cache-authenticated-commit "channels/guix"
-                                     (oid->string (commit-id end-commit)))
-
-         (unless (null? stats)
-           (format #t (G_ "Signing statistics:~%"))
-           (for-each (match-lambda
-                       ((signer . count)
-                        (format #t "  ~a ~10d~%"
-                                (openpgp-format-fingerprint
-                                 (openpgp-public-key-fingerprint signer))
-                                count)))
-                     (sort stats
-                           (match-lambda*
-                             (((_ . count1) (_ . count2))
-                              (> count1 count2))))))))
+       (authenticate-channel (car %default-channels) "." end
+                             ;; Require users to have a local 'keyring'
+                             ;; branch.
+                             #:keyring-reference-prefix ""))
       ((command start)
-       (let* ((head (repository-head repository))
-              (end  (reference-target head)))
-         (loop (list command start (oid->string end)))))
+       (let* ((repository (repository-open "."))
+              (head       (repository-head repository))
+              (end        (oid->string (reference-target head))))
+         (repository-close! repository)
+         (loop (list command start end))))
       (_
        (format (current-error-port)
                (G_ "Usage: git-authenticate START [END]
diff --git a/guix/channels.scm b/guix/channels.scm
index 9e6adda5e9..b9983c6a43 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -126,26 +126,211 @@
 ;; as its signer's fingerprint.  The pair must be signed by the signer of that
 ;; commit so that only them may emit this introduction.  Introductions are
 ;; used to bootstrap trust in a channel.
+;;
+;; For the 'guix' channel, the introduction can also list "prehistorical
+;; authorizations": the list of fingerprints of authorized committers before
+;; the '.guix-authorizations' file was introduced.  Currently this feature is
+;; only available for the 'guix' channel because otherwise we would need and
+;; out-of-band mechanism to authenticate those prehistorical authorizations.
 (define-record-type <channel-introduction>
   (make-channel-introduction first-signed-commit first-commit-signer
-                             signature)
+                             prehistorical-authorizations signature)
   channel-introduction?
   (first-signed-commit  channel-introduction-first-signed-commit) ;hex string
   (first-commit-signer  channel-introduction-first-commit-signer) ;bytevector
+  (prehistorical-authorizations
+   channel-introduction-prehistorical-authorizations)    ;list of bytevectors
   (signature            channel-introduction-signature))          ;string
 
+(define %guix-historical-committers
+  ;; List of "historical" Guix committers---people once authorized committers
+  ;; before the '.guix-authorizations' file was created.
+  ;;
+  ;; These are the user names found on
+  ;; <https://savannah.gnu.org/project/memberlist.php?group=guix> along with
+  ;; the fingerprint of the signing (sub)key.
+  '(("andreas"
+     "AD17 A21E F8AE D8F1 CC02  DBD9 F7D5 C9BF 765C 61E3")
+    ("ajgrf"
+     "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5")
+    ("alexvong1995"
+     "306F CB8F 2C01 C25D 29D3  0556 61EF 502E F602 52F2")
+    ("alezost"
+     "4FB9 9F49 2B12 A365 7997  E664 8246 0C08 2A0E E98F")
+    ("ambrevar"
+     "50F3 3E2E 5B0C 3D90 0424  ABE8 9BDC F497 A4BB CC7F")
+    ("apteryx"
+     "27D5 86A4 F890 0854 329F  F09F 1260 E464 82E6 3562")
+    ("arunisaac"
+     "7F73 0343 F2F0 9F3C 77BF  79D3 2E25 EE8B 6180 2BB3")
+    ("atheia"
+     ;; primary: "3B12 9196 AE30 0C3C 0E90  A26F A715 5567 3271 9948"
+     "9A2B 401E D001 0650 1584  BAAC 8BC4 F447 6E8A 8E00")
+    ("bandali"
+     ;; primary: "BE62 7373 8E61 6D6D 1B3A  08E8 A21A 0202 4881 6103"
+     "39B3 3C8D 9448 0D2D DCC2  A498 8B44 A0CD C7B9 56F2")
+    ("bavier"
+     ;; primary: "34FF 38BC D151 25A6 E340  A0B5 3453 2F9F AFCA 8B8E"
+     "A0C5 E352 2EF8 EF5C 64CD  B7F0 FD73 CAC7 19D3 2566")
+    ("beffa"
+     "3774 8024 880F D3FF DCA2  C9AB 5893 6E0E 2F1B 5A4C")
+    ("benwoodcroft"
+     "BCF8 F737 2CED 080A 67EB  592D 2A6A D9F4 AAC2 0DF6")
+    ("biscuolo"
+     "45CC 63B8 5258 C9D5 5F34  B239 D37D 0EA7 CECC 3912")
+    ("boskovits"
+     "7988 3B9F 7D6A 4DBF 3719  0367 2506 A96C CF63 0B21")
+    ("brettgilio"
+     "DFC0 C7F7 9EE6 0CA7 AE55  5E19 6722 43C4 A03F 0EEE")
+    ("carl"
+     ;; primary: "0401 7A2A 6D9A 0CCD C81D  8EC2 96AB 007F 1A7E D999"
+     "09CD D25B 5244 A376 78F6  EEA8 0CC5 2153 1979 91A5")
+    ("cbaines"
+     "3E89 EEE7 458E 720D 9754  E0B2 5E28 A33B 0B84 F577")
+    ("civodul"
+     "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5")
+    ("cwebber"
+     "510A 8628 E2A7 7678 8F8C  709C 4BC0 2592 5FF8 F4D3")
+    ("dannym"
+     ;; primary: "295A F991 6F46 F8A1 34B0  29DA 8086 3842 F0FE D83B"
+     "76CE C6B1 7274 B465 C02D  B3D9 E71A 3554 2C30 BAA5")
+    ("davexunit"
+     "B3C0 DB4D AD73 BA5D 285E  19AE 5143 0234 CEFD 87C3")
+    ("davexunit (2nd)"                            ;FIXME: to be confirmed!
+     "8CCB A7F5 52B9 CBEA E1FB  2915 8328 C747 0FF1 D807")
+    ("daviwil"
+     "53C4 1E6E 41AA FE55 335A  CA5E 446A 2ED4 D940 BF14")
+    ("dvc"
+     "6909 6DFD D702 8BED ACC5  884B C5E0 51C7 9C0B ECDB")
+    ("dvc (old)"
+     "5F43 B681 0437 2F4B A898  A64B 33B9 E9FD E28D 2C23")
+    ("efraim"
+     "A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351")
+    ("efraim (old)"
+     "9157 41FE B22F A4E3 3B6E  8F8D F4C1 D391 7EAC EE93")
+    ("glv"
+     ;; primary: "2453 02B1 BAB1 F867 FDCA  96BC 8F3F 861F 82EB 7A9A"
+     "CBC5 9C66 EC27 B971 7940  6B3E 6BE8 208A DF21 FE3F")
+    ("hoebjo"
+     "2219 43F4 9E9F 276F 9499  3382 BF28 6CB6 593E 5FFD")
+    ("htgoebel"
+     "B943 509D 633E 80DD 27FC  4EED 634A 8DFF D3F6 31DF")
+    ("ipetkov"
+     "7440 26BA 7CA3 C668 E940  1D53 0B43 1E98 3705 6942")
+    ("iyzsong"
+     ;; primary: "66A5 6D9C 9A98 BE7F 719A  B401 2652 5665 AE72 7D37"
+     "0325 78A6 8298 94E7 2AA2  66F5 D415 BF25 3B51 5976")
+
+    ;; https://lists.gnu.org/archive/html/guix-devel/2018-04/msg00229.html
+    ("janneke (old)"
+     "DB34 CB51 D25C 9408 156F  CDD6 A12F 8797 8D70 1B99")
+    ("janneke"
+     "1A85 8392 E331 EAFD B8C2  7FFB F3C1 A0D9 C1D6 5273")
+
+    ("jlicht"
+     ;; primary: "1BA4 08C5 8BF2 0EA7 3179  635A 865D C0A3 DED9 B5D0"
+     "E31D 9DDE EBA5 4A14 8A20  4550 DA45 97F9 47B4 1025")
+    ("jmd"
+     "8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3")
+    ("kkebreau"
+     "83B6 703A DCCA 3B69 4BCE  2DA6 E6A5 EE3C 1946 7A0D")
+    ("leungbk"
+     "45E5 75FA 53EA 8BD6 1BCE  0B4E 3ADC 75F0 13D6 78F9")
+    ("lfam"
+     ;; primary: "4F71 6F9A 8FA2 C80E F1B5  E1BA 5E35 F231 DE1A C5E0"
+     "B051 5948 F1E7 D3C1 B980  38A0 2646 FA30 BACA 7F08")
+    ("lsl88"
+     "2AE3 1395 932B E642 FC0E  D99C 9BED 6EDA 32E5 B0BC")
+    ("marusich"
+     "CBF5 9755 CBE7 E7EF EF18  3FB1 DD40 9A15 D822 469D")
+    ("mbakke"
+     "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA")
+    ("mhw"
+     "D919 0965 CE03 199E AF28  B3BE 7CEF 2984 7562 C516")
+    ("mothacehe"
+     "4008 6A7E 0252 9B60 31FB  8607 8354 7635 3176 9CA6")
+    ("mthl"
+     "F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37")
+    ("nckx"
+     ;; primary: "F5BC 5534 C36F 0087 B39D  36EF 1C9D C4FE B9DB 7C4B"
+     "F5DA 2032 4B87 3D0B 7A38  7672 0DB0 FF88 4F55 6D79")
+    ("nckx (revoked; not compromised)"
+     ;; primary: "F5BC 5534 C36F 0087 B39D  36EF 1C9D C4FE B9DB 7C4B"
+     "7E8F AED0 0944 78EF 72E6  4D16 D889 B0F0 18C5 493C")
+    ("niedzejkob"
+     "E576 BFB2 CF6E B13D F571  33B9 E315 A758 4613 1564")
+    ("ngz"
+     "ED0E F1C8 E126 BA83 1B48  5FE9 DA00 B4F0 48E9 2F2D")
+    ("pelzflorian"
+     "CEF4 CB91 4856 BA38 0A20  A7E2 3008 88CB 39C6 3817")
+    ("pgarlick"
+     ;; primary: "B68B DF22 73F9 DA0E 63C1  8A32 515B F416 9242 D600"
+     "C699 ED09 E51B CE89 FD1D  A078 AAC7 E891 896B 568A")
+    ("phant0mas"
+     "3A86 380E 58A8 B942 8D39  60E1 327C 1EF3 8DF5 4C32")
+    ("reepca"
+     "74D6 A930 F44B 9B84 9EA5  5606 C166 AA49 5F7F 189C")
+    ("rekado"
+     "BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC")
+    ("rhelling"
+     "0154 E1B9 1CC9 D9EF 7764  8DE7 F3A7 27DB 44FC CA36")
+    ("roelj (old)"
+     "17CB 2812 EB63 3DFF 2C7F  0452 C3EC 1DCA 8430 72E1")
+    ("roelj"
+     ;; From commit cc51c03ff867d4633505354819c6d88af88bf919 (March 2020).
+     ;; See <https://lists.gnu.org/archive/html/guix-devel/2020-03/msg00070.html>.
+     "F556 FD94 FB8F 8B87 79E3  6832 CBD0 CD51 38C1 9AFC")
+    ("roptat (old)"
+     "B5FA E628 5B41 3728 B2A0  FAED 4311 1F45 2008 6A0C")
+    ("roptat"
+     ;; From commit 2cbede5935eb6a40173bbdf30a9ad22bf7574c22 (Jan. 2020).  See
+     ;; <https://lists.gnu.org/archive/html/guix-devel/2020-01/msg00499.html>.
+     "1EFB 0909 1F17 D28C CBF9  B13A 53D4 57B2 D636 EE82")
+    ("samplet"
+     ;; primary: "D6B0 C593 DA8C 5EDC A44C  7A58 C336 91F7 1188 B004"
+     "A02C 2D82 0EF4 B25B A6B5  1D90 2AC6 A5EC 1C35 7C59")
+    ("sleep_walker"
+     "77DD AD2D 97F5 31BB C0F3  C7FD DFB5 EB09 AA62 5423")
+    ("snape"
+     "F494 72F4 7A59 00D5 C235  F212 89F9 6D48 08F3 59C7")
+    ("steap"
+     "4E26 CCE9 578E 0828 9855  BDD4 1C79 95D2 D5A3 8336")
+    ("taylanub"
+     "9ADE 9ECF 2B19 C180 9C99  5CEA A1F4 CFCC 5283 6BAC")
+
+    ;; https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00826.html
+    ("thomasd"
+     ;; primary: "1DD1 681F E285 E07F 11DC  0C59 2E15 A6BC D77D 54FD"
+     "3D2C DA58 819C 08C2 A649  D43D 5C3B 064C 724A 5726")
+    ("thomasd (old)"
+     "A5C5 92EA 606E 7106 A6A3  BC08 98B2 1575 91E1 2B08")
+
+    ("toothbrush"
+     "D712 1D73 A40A 7264 9E43  ED7D F284 6B1A 0D32 C442")
+    ("vagrantc"
+     "6580 7361 3BFC C5C7 E2E4  5D45 DC51 8FC8 7F97 16AA")
+    ("wigust"
+     ;; primary: "C955 CC5D C048 7FB1 7966  40A9 199A F6A3 67E9 4ABB"
+     "7238 7123 8EAC EB63 4548  5857 167F 8EA5 001A FA9C")
+    ("wingo"
+     "FF47 8FB2 64DE 32EC 2967  25A3 DDC0 F535 8812 F8F2")))
+
+(define (openpgp-fingerprint->bytevector str)
+  (base16-string->bytevector
+   (string-downcase (string-filter char-set:hex-digit str))))
+
 (define %guix-channel-introduction
-  ;; Introduction of the official 'guix channel.  The chosen commit is the
-  ;; first one that introduces '.guix-authorizations' on the 'core-updates'
-  ;; branch that was eventually merged in 'master'.  Any branch starting
-  ;; before that commit cannot be merged or it will be rejected by 'guix pull'
-  ;; & co.
+  ;; Introduction of the official 'guix channel.
   (make-channel-introduction
-   "87a40d7203a813921b3ef0805c2b46c0026d6c31"
-   (base16-string->bytevector
-    (string-downcase
-     (string-filter char-set:hex-digit            ;mbakke
-                    "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA")))
+   "6298c3ffd9654d3231a6f25390b056483e8f407c"     ;v1.0.0
+   (openpgp-fingerprint->bytevector
+    "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5") ;civodul
+
+   ;; The "prehistorical authorizations" lists authorized committers between
+   ;; v1.0.0 and the commit where '.guix-authorizations' was introduced.
+   (match %guix-historical-committers
+     (((_ fingerprints) ...)
+      (map openpgp-fingerprint->bytevector fingerprints)))
    #f))                   ;TODO: Add an intro signature so it can be exported.
 
 (define %default-channel-url
@@ -331,6 +516,10 @@ fails."
                                    (string-append keyring-reference-prefix
                                                   keyring-reference)))
 
+    (define prehistorical-authorizations
+      (channel-introduction-prehistorical-authorizations
+       (channel-introduction channel)))
+
     (define authenticated-commits
       ;; Previously-authenticated commits that don't need to be checked again.
       (filter-map (lambda (id)
@@ -381,6 +570,8 @@ commits ~a to ~a (~h new commits)...~%")
             (lambda (report)
               (authenticate-commits repository commits
                                     #:keyring keyring
+                                    #:default-authorizations
+                                    prehistorical-authorizations
                                     #:report-progress report)))
 
           (unless (null? commits)
diff --git a/tests/channels.scm b/tests/channels.scm
index 5f13a48ec1..8c64d7a7c7 100644
--- a/tests/channels.scm
+++ b/tests/channels.scm
@@ -430,6 +430,7 @@
                          (openpgp-public-key-fingerprint
                           (read-openpgp-packet
                            %ed25519bis-public-key-file)) ;different key
+                         '()
                          #f))                     ;no signature
                (channel (channel (name 'example)
                                  (url (string-append "file://" directory))
@@ -486,6 +487,7 @@
                          (openpgp-public-key-fingerprint
                           (read-openpgp-packet
                            %ed25519-public-key-file))
+                         '()
                          #f))                     ;no signature
                (channel (channel (name 'example)
                                  (url (string-append "file://" directory))
-- 
2.26.2
L
L
Ludovic Courtès wrote on 9 Jun 2020 09:15
Download
Re: [bug#41767] [PATCH 0/9] Authenticate channels
(address . 41767@debbugs.gnu.org)(address . 22883@debbugs.gnu.org)
87y2owogko.fsf@gnu.org
Download
Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (6 lines)
> This patch series does it! It integrates checkout authentication
> with (guix channels). Now, ‘guix pull’, ‘guix time-machine’ etc.
> automatically authenticate the commits they fetch and raise an
> error if they find an unsigned commit or a commit signed by an
> unauthorized party¹.

[...]

Toggle quote (2 lines)
> ¹ https://issues.guix.gnu.org/issue/22883#64

Something we didn’t discuss is that this model forbids a merge-request
kind of workflow, or at least the person who merges must sign the
commits, rewriting the merged branch.

I think it’s a reasonable tradeoff in this space, but it’s worth
keeping in mind.

Ludo’.
Z
Z
zimoun wrote on 9 Jun 2020 12:52
Download
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 41767@debbugs.gnu.org)
CAJ3okZ0dqFbpQJ7OHCSpA5Evp7Rsfs5M4dB=pQDXkRwWtGsm=w@mail.gmail.com
Download
Hi Ludo

(-22883@debbugs.gnu.org)

On Mon, 8 Jun 2020 at 23:53, Ludovic Courtès <ludo@gnu.org> wrote:

Toggle quote (4 lines)
> I would much welcome feedback! I’m happy to answer questions if
> anything’s unclear. Don’t hesitate, because after that it’ll be
> harder to change!

I am sorry to be slow to understand and if I am naive but there are
still points which are unclear [1] to me, especially when 'guix
time-machine' will use this authentication machinery.

[1] https://lists.gnu.org/archive/html/guix-devel/2020-06/msg00057.html


From my understanding, there are 4 situations

1- add signed material to a signed channel
2- introduce authentication to an unsigned channel
3- add unsigned material to a signed channel
4- add unsigned material to unsigned channel

And I am interested by how it works for the situation #3. For a
concrete example of 3., e.g.,

Toggle snippet (8 lines)
git clone https://git.savannah.gnu.org/git/guix.git
git worktree add -b foo wk/foo
cd wk/foo
# add my unready stuff
./pre-inst-env guix pull --branch=foo --url=$PWS -p /tmp/foo
/tmp/foo/bin/guix install unready-stuff

In this case, do I have to use the option '--disable-authentication'?
And this is the scenario for almost all the patches on guix-patches;
even if 'pull' is generally not necessary when testing the patch. :-)

Another example is let consider that this channel [2] -- or any other
public one used by labs to publish specific tools; I am not aware
about one by INRIA ;-) -- and let imagine that this channel is
authenticated, i.e., there is a '.guix-authorizations' file. Now, can
I fork this channel and my unsigned material without entering in the
security dance? Do I need to use the option
'--disable-authentication'?

Moreover, if this forked channel is added to
'~/.config/guix/channels.scm', i.e., in addition to
'%default-channel', what happens for pulling? Well, it is not
possible to pull a signed channel and an "unauthorized fork from a
signed channel" in only one command, right?

[2] https://github.com/BIMSBbioinfo/guix-bimsb


Well, I am sorry to be insistent but this authentication machinery
seems having an hard implication in my workflow and I would like to be
prepared.

All the best,
simon
L
L
Ludovic Courtès wrote on 9 Jun 2020 16:16
Download
(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 41767@debbugs.gnu.org)
875zc0jpdp.fsf@gnu.org
Download
Hi Simon,

zimoun <zimon.toutoune@gmail.com> skribis:

Toggle quote (7 lines)
> From my understanding, there are 4 situations
>
> 1- add signed material to a signed channel
> 2- introduce authentication to an unsigned channel
> 3- add unsigned material to a signed channel
> 4- add unsigned material to unsigned channel

I’m not sure what material you have in mind.

There are in my view only two situations: a channel that can be
authenticated (it has signed commits, ‘.guix-authorizations’, and an
“introduction”), and one that cannot.

The idea is that a channel that can be authenticated would remain that
way “forever”.

Toggle quote (12 lines)
> And I am interested by how it works for the situation #3. For a
> concrete example of 3., e.g.,
>
> git clone https://git.savannah.gnu.org/git/guix.git
> git worktree add -b foo wk/foo
> cd wk/foo
> # add my unready stuff
> ./pre-inst-env guix pull --branch=foo --url=$PWS -p /tmp/foo
> /tmp/foo/bin/guix install unready-stuff
>
> In this case, do I have to use the option '--disable-authentication'?

Yes, you can always use it.

Toggle quote (3 lines)
> And this is the scenario for almost all the patches on guix-patches;
> even if 'pull' is generally not necessary when testing the patch. :-)

Right. When hacking, I just use ./pre-inst-env to test my stuff.

Toggle quote (8 lines)
> Another example is let consider that this channel [2] -- or any other
> public one used by labs to publish specific tools; I am not aware
> about one by INRIA ;-) -- and let imagine that this channel is
> authenticated, i.e., there is a '.guix-authorizations' file. Now, can
> I fork this channel and my unsigned material without entering in the
> security dance? Do I need to use the option
> '--disable-authentication'?

Note that this patch set changes nothing for third-party channels.
(Attentive readers will find out how to make an authenticated channel,
but it’s undocumented and inconvenient to use.)

In the future, I think ‘guix pull’ will merely print a warning when
using an unauthenticated channel. That’s something we’ll have to
discuss.

If you want to fork an “authenticated channel”, you don’t have to keep
it authenticated. In essence, something who writes:

(channel (name 'zimoun) (url "https://zimoun.example.org"))

states that they want to fetch code from your channel, but that no
authentication will take place because there’s no ‘introduction’ field.

Toggle quote (6 lines)
> Moreover, if this forked channel is added to
> '~/.config/guix/channels.scm', i.e., in addition to
> '%default-channel', what happens for pulling? Well, it is not
> possible to pull a signed channel and an "unauthorized fork from a
> signed channel" in only one command, right?

With this patch set, ‘guix pull’ just behaves the same as now.
In the future, it would probably just print a warning about the
unauthenticated channel.

Toggle quote (4 lines)
> Well, I am sorry to be insistent but this authentication machinery
> seems having an hard implication in my workflow and I would like to be
> prepared.

Definitely, feedback like this is very helpful.

I think it’s important for all of us to think about the implications.
Surely we want security, but not at the cost of usability.

Thanks,
Ludo’.
M
M
Maxim Cournoyer wrote on 9 Jun 2020 19:49
Download
Re: [bug#41767] [PATCH 4/9] channels: 'latest-channel-instance' authenticates Git checkouts.
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 41767@debbugs.gnu.org)
87v9k0i0yj.fsf@gmail.com
Download
Hello!

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (2 lines)
> Fixes https://bugs.gnu.org/22883.

[...]

Toggle quote (27 lines)
> +;; Channel introductions. A "channel introduction" provides a commit/signer
> +;; pair that specifies the first commit of the authentication process as well
> +;; as its signer's fingerprint. The pair must be signed by the signer of that
> +;; commit so that only them may emit this introduction. Introductions are
> +;; used to bootstrap trust in a channel.
> +(define-record-type <channel-introduction>
> + (make-channel-introduction first-signed-commit first-commit-signer
> + signature)
> + channel-introduction?
> + (first-signed-commit channel-introduction-first-signed-commit) ;hex string
> + (first-commit-signer channel-introduction-first-commit-signer) ;bytevector
> + (signature channel-introduction-signature)) ;string
> +
> +(define %guix-channel-introduction
> + ;; Introduction of the official 'guix channel. The chosen commit is the
> + ;; first one that introduces '.guix-authorizations' on the 'core-updates'
> + ;; branch that was eventually merged in 'master'. Any branch starting
> + ;; before that commit cannot be merged or it will be rejected by 'guix pull'
> + ;; & co.
> + (make-channel-introduction
> + "87a40d7203a813921b3ef0805c2b46c0026d6c31"
> + (base16-string->bytevector
> + (string-downcase
> + (string-filter char-set:hex-digit ;mbakke
> + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))
> + #f)) ;TODO: Add an intro signature so it can be exported.

The GnuPG key fingerprint is SHA1 derived, which isn't cryptographically
secure. This doesn't mean fingerprints are unsafe *now* (given that
forging a key to match it isn't currently practical), but I don't think
we should create something *today* that relies on SHA1 for trust. My
point is made moot by the fact that Git uses SHA1 too... but that's
another issue. Just saying, but not blocking or requesting change, as I
don't have a good solution for that, short of patching GnuPG and Git.

[...]

Toggle quote (38 lines)
> + ;; When COMMITS is empty, it's either because AUTHENTICATED-COMMITS
> + ;; contains END-COMMIT or because END-COMMIT is not a descendant of
> + ;; START-COMMIT. Check that.
> + (if (null? commits)
> + (match (commit-relation start-commit end-commit)
> + ((or 'self 'ancestor 'descendant) #t) ;nothing to do!
> + ('unrelated
> + (raise
> + (condition
> + (&message
> + (message
> + (format #f (G_ "'~a' is not related to introductory \
> +commit of channel '~a'~%")
> + (oid->string (commit-id end-commit))
> + (channel-name channel))))))))
> + (begin
> + (format (current-error-port)
> + (G_ "Authenticating channel '~a', \
> +commits ~a to ~a (~h new commits)...~%")
> + (channel-name channel)
> + (commit-short-id start-commit)
> + (commit-short-id end-commit)
> + (length commits))
> +
> + ;; If it's our first time, verify CHANNEL's introductory commit.
> + (when (null? authenticated-commits)
> + (verify-introductory-commit repository
> + (channel-introduction channel)
> + keyring))
> +
> + (call-with-progress-reporter reporter
> + (lambda (report)
> + (authenticate-commits repository commits
> + #:keyring keyring
> + #:report-progress report)))
> +
> + (unless (null? commits)

That condition is already checked above, but OK to be defensive.

Toggle quote (20 lines)
> + (cache-authenticated-commit cache-key
> + (oid->string
> + (commit-id end-commit))))))))
> +
> (define* (latest-channel-instance store channel
> #:key (patches %patches)
> starting-commit)
> @@ -225,6 +387,14 @@ relation to STARTING-COMMIT when provided."
> (update-cached-checkout (channel-url channel)
> #:ref (channel-reference channel)
> #:starting-commit starting-commit)))
> + (if (channel-introduction channel)
> + (authenticate-channel channel checkout commit)
> + ;; TODO: Warn for all the channels once the authentication interface
> + ;; is public.
> + (when (guix-channel? channel)
> + (warning (G_ "the code of channel '~a' cannot be authenticated~%")
> + (channel-name channel))))
> +

Perhaps the warning message could say why.

[...]

Toggle quote (40 lines)
> +(unless (gpg+git-available?) (test-skip 1))
> +(test-assert "authenticate-channel, wrong first commit signer"
> + (with-fresh-gnupg-setup (list %ed25519-public-key-file
> + %ed25519-secret-key-file
> + %ed25519bis-public-key-file
> + %ed25519bis-secret-key-file)
> + (with-temporary-git-repository directory
> + `((add ".guix-channel"
> + ,(object->string
> + '(channel (version 0)
> + (keyring-reference "master"))))
> + (add ".guix-authorizations"
> + ,(object->string
> + `(authorizations (version 0)
> + ((,(key-fingerprint
> + %ed25519-public-key-file)
> + (name "Charlie"))))))
> + (add "signer.key" ,(call-with-input-file %ed25519-public-key-file
> + get-string-all))
> + (commit "first commit"
> + (signer ,(key-fingerprint %ed25519-public-key-file))))
> + (with-repository directory repository
> + (let* ((commit1 (find-commit repository "first"))
> + (intro ((@@ (guix channels) make-channel-introduction)
> + (commit-id-string commit1)
> + (openpgp-public-key-fingerprint
> + (read-openpgp-packet
> + %ed25519bis-public-key-file)) ;different key
> + #f)) ;no signature
> + (channel (channel (name 'example)
> + (url (string-append "file://" directory))
> + (introduction intro))))
> + (guard (c ((message? c)
> + (->bool (string-contains (condition-message c)
> + "initial commit"))))
> + (authenticate-channel channel directory
> + (commit-id-string commit1)
> + #:keyring-reference-prefix "")
> + 'failed))))))

Eh, I like what you did there :-) Very expressive way to setup your
test environment.

So far LGTM.

Maxim
Download
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEJ9WGpPiQCFQyn/CfEmDkZILmNWIFAl7fy6QACgkQEmDkZILm
NWIY3w//cExy21EH0TSHwdPyMy33kTkadvR+GVzebHRC8E5K/NmjFIjqc9XcDQqX
ersa+kje4dbcz312JRmPoY/Ouhe7ZWXQN9Zpa8WicGAWT96y6Uy1gbkFJWKMFLoU
FlWXVdSayBvC2f9hc0DdtcyKnHPyhTq2DiUNNWOk7dssU71oui7N8AkmmrMx3Utj
KSURx3v3p0WkORprCIUoFNhF4xfxNjKj2vnrzs+HxPQCSoV/+IL2LJJ0IqffuUoc
sAv2mskYUJFoo5Weq1RvwL9GdwzhNYzjagrzoyvf03jPpfJF/yhihk/LXkYQjHDI
cj9CpIhEeJNEvnK/n6PfXUwG2lCRHnZ0s5p8DPT66cgE3U4BeWi7mWLYB2wj6qDq
+/NkirVUZnHt8HB0ZOfqUBp0yGzAymAJtahMxPmw9ViCnctBDhsQ4wKLV/Y/BHrP
lEhUO9lmDDqW78ISUh92bMo2SrDIELHLm4eUmlyz5V5XQkQe6vWWr4UY2OynIy/9
Djm+j/fPdRhVT2hmhkXrww/7D+kIzrC0GZ/Gh0Yfe59uAnQixFa+iGo402PNBfzM
mx0EJFQunYMsclk7L6W1ixTNsOojMfgoejS/Jf35L2o8anoypueBYFTRgRMmdvrx
NFWVEY8yM5TviRx0tIgyD4EDdO1WIEe7XqUHM1Mk23jR2+wNC34=
=iEWC
-----END PGP SIGNATURE-----

M
M
Maxim Cournoyer wrote on 9 Jun 2020 20:35
Download
Re: [bug#41767] [PATCH 9/9] DROP? channels: Add prehistorical authorizations to <channel-introduction>.
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 41767@debbugs.gnu.org)
87o8pshysy.fsf@gmail.com
Download
Hello!

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (17 lines)
> This allows users to authenticate commits that were made before
> '.guix-authorizations' was introduced.
>
> * guix/channels.scm (<channel-introduction>)[prehistorical-authorizations]:
> New field.
> (%guix-historical-committers): New variable.
> (openpgp-fingerprint->bytevector): New procedure.
> (%guix-channel-introduction): Add 'prehistorical-authorizations' field.
> (authenticate-channel): Honor it. Pass it as #:default-authorizations
> to 'authenticate-commits'.
> * build-aux/git-authenticate.scm (%historical-committers)
> (%historical-authorized-signing-keys, commit-short-id): Remove.
> * build-aux/git-authenticate.scm (git-authenticate): Rewrite to use
> 'authenticate-channel'.
> * tests/channels.scm ("authenticate-channel, wrong first commit signer")
> ("authenticate-channel, .guix-authorizations"): Adjust accordingly.

I'd be in favor of dropping this commit, to not be burdened by legacy
complexity, which I'm doubtful would see much use anyway. This means
that a channel require all its commits to have a .guix-authorizations
file to be authenticated. I think that's fine.

The series LGTM. I haven't tested it locally, but the tests give me
confidence.

Thank you for working on this!

Maxim
L
L
Ludovic Courtès wrote on 10 Jun 2020 15:21
Download
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 41767@debbugs.gnu.org)
87zh9bdpk5.fsf@gnu.org
Download
Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

Toggle quote (24 lines)
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> This allows users to authenticate commits that were made before
>> '.guix-authorizations' was introduced.
>>
>> * guix/channels.scm (<channel-introduction>)[prehistorical-authorizations]:
>> New field.
>> (%guix-historical-committers): New variable.
>> (openpgp-fingerprint->bytevector): New procedure.
>> (%guix-channel-introduction): Add 'prehistorical-authorizations' field.
>> (authenticate-channel): Honor it. Pass it as #:default-authorizations
>> to 'authenticate-commits'.
>> * build-aux/git-authenticate.scm (%historical-committers)
>> (%historical-authorized-signing-keys, commit-short-id): Remove.
>> * build-aux/git-authenticate.scm (git-authenticate): Rewrite to use
>> 'authenticate-channel'.
>> * tests/channels.scm ("authenticate-channel, wrong first commit signer")
>> ("authenticate-channel, .guix-authorizations"): Adjust accordingly.
>
> I'd be in favor of dropping this commit, to not be burdened by legacy
> complexity, which I'm doubtful would see much use anyway. This means
> that a channel require all its commits to have a .guix-authorizations
> file to be authenticated. I think that's fine.

Yeah, makes sense to me.

Toggle quote (3 lines)
> The series LGTM. I haven't tested it locally, but the tests give me
> confidence.

Cool. I’ll reply to your other comments soonish.

Anyhow, I’ll leave a few more days for people to weigh in before going
further.

Thanks for reviewing!

Ludo’.
L
L
Ludovic Courtès wrote on 11 Jun 2020 11:24
Download
Re: [bug#41767] [PATCH 4/9] channels: 'latest-channel-instance' authenticates Git checkouts.
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 41767@debbugs.gnu.org)
87sgf2araw.fsf@gnu.org
Download
Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

Toggle quote (18 lines)
>> +(define %guix-channel-introduction
>> + ;; Introduction of the official 'guix channel. The chosen commit is the
>> + ;; first one that introduces '.guix-authorizations' on the 'core-updates'
>> + ;; branch that was eventually merged in 'master'. Any branch starting
>> + ;; before that commit cannot be merged or it will be rejected by 'guix pull'
>> + ;; & co.
>> + (make-channel-introduction
>> + "87a40d7203a813921b3ef0805c2b46c0026d6c31"
>> + (base16-string->bytevector
>> + (string-downcase
>> + (string-filter char-set:hex-digit ;mbakke
>> + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))
>> + #f)) ;TODO: Add an intro signature so it can be exported.
>
> The GnuPG key fingerprint is SHA1 derived, which isn't cryptographically
> secure. This doesn't mean fingerprints are unsafe *now* (given that
> forging a key to match it isn't currently practical),

Fingerprints are used as an index in the keyring here. If somebody
introduced a second OpenPGP key with the same fingerprint in the keyring
and we picked the wrong one when verifying a signature, signature
verification would just fail. So I think it’s perfectly OK here.

Toggle quote (6 lines)
> but I don't think we should create something *today* that relies on
> SHA1 for trust. My point is made moot by the fact that Git uses SHA1
> too... but that's another issue. Just saying, but not blocking or
> requesting change, as I don't have a good solution for that, short of
> patching GnuPG and Git.

Right, we’re following the OpenPGP standard (which I think is fine in
this respect, at least for this use case) and Git (which is less fine).

Git commit signatures are over computed over the raw commit, something
like:

Toggle snippet (14 lines)
tree 6e3ed6ad90013f8cb685556b0669c8a12f24bd09
parent 394566f7f4a99748f59b86da5bc551903ece5052
author Ludovic Courtès <ludo@gnu.org> 1591626893 +0200
committer Ludovic Courtès <ludo@gnu.org> 1591648112 +0200

tests: Move OpenPGP helpers to (guix tests gnupg).

* tests/git-authenticate.scm (key-id): Remove.
(%ed25519-public-key-file, %ed25519-secret-key-file)
(%ed25519bis-public-key-file, %ed25519bis-secret-key-file)
(read-openpgp-packet, key-fingerprint): Move to...
* guix/tests/gnupg.scm: ... here.

One could forge a tree object with the same SHA1: signature verification
would still pass, but the checkout could be very different.

The “SHA-1 is a Shambles” paper reads:

The GIT developers have been working on replacing SHA-1 for a
while[16], and they use a collision detection library [SS17] to
mitigate the risks of collision attacks.

[16] https://git-scm.com/docs/hash-function-transition/

On the Fediverse, someone pointed out that Bitcoin Core developers
compute a SHA512 hash of Git trees to mitigate it:

https://github.com/bitcoin/bitcoin/tree/master/contrib/verify-commits

What they do is add a “Tree-SHA512:” line to commit logs and check
those in ‘verify-commits.py’:

Toggle snippet (8 lines)
# Check the Tree-SHA512
if (verify_tree or prev_commit == "") and current_commit not in incorrect_sha512_allowed:
tree_hash = tree_sha512sum(current_commit)
if ("Tree-SHA512: {}".format(tree_hash)) not in subprocess.check_output([GIT, 'show', '-s', '--format=format:%B', current_commit]).decode('utf8').splitlines():
print("Tree-SHA512 did not match for commit " + current_commit, file=sys.stderr)
sys.exit(1)

We could do something similar, maybe optionally, but verification would
be expensive (you need to traverse all the blobs of the whole tree for
each commit being authenticated).

At this point, I’d wait for Git’s SHA256 migration to happen, though
https://git-scm.com/docs/hash-function-transition/ doesn’t specify an
ETA.

Toggle quote (16 lines)
>> + ;; If it's our first time, verify CHANNEL's introductory commit.
>> + (when (null? authenticated-commits)
>> + (verify-introductory-commit repository
>> + (channel-introduction channel)
>> + keyring))
>> +
>> + (call-with-progress-reporter reporter
>> + (lambda (report)
>> + (authenticate-commits repository commits
>> + #:keyring keyring
>> + #:report-progress report)))
>> +
>> + (unless (null? commits)
>
> That condition is already checked above, but OK to be defensive.

Oh that’s a leftover, I’ve removed it for clarity.

Toggle quote (7 lines)
>> + (when (guix-channel? channel)
>> + (warning (G_ "the code of channel '~a' cannot be authenticated~%")
>> + (channel-name channel))))
>> +
>
> Perhaps the warning message could say why.

Good point.

Below are changes I made locally to account for your feedback.

Thank you!

Ludo’.
Download
Toggle diff (28 lines)
diff --git a/guix/channels.scm b/guix/channels.scm
index c2ea0e26ff..036c8d9b5d 100644
--- a/guix/channels.scm
+++ b/guix/channels.scm
@@ -369,10 +369,9 @@ commits ~a to ~a (~h new commits)...~%")
                                     #:keyring keyring
                                     #:report-progress report)))
 
-          (unless (null? commits)
-            (cache-authenticated-commit cache-key
-                                        (oid->string
-                                         (commit-id end-commit))))))))
+          (cache-authenticated-commit cache-key
+                                      (oid->string
+                                       (commit-id end-commit)))))))
 
 (define* (latest-channel-instance store channel
                                   #:key (patches %patches)
@@ -392,7 +391,8 @@ relation to STARTING-COMMIT when provided."
         ;; TODO: Warn for all the channels once the authentication interface
         ;; is public.
         (when (guix-channel? channel)
-          (warning (G_ "the code of channel '~a' cannot be authenticated~%")
+          (warning (G_ "channel '~a' lacks an introduction and \
+cannot be authenticated~%")
                    (channel-name channel))))
 
     (when (guix-channel? channel)
M
M
Maxim Cournoyer wrote on 11 Jun 2020 15:15
Download
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 41767@debbugs.gnu.org)
878sgtd9r8.fsf@gmail.com
Download
Hi Ludovic,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (27 lines)
> Hi Maxim,
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>>> +(define %guix-channel-introduction
>>> + ;; Introduction of the official 'guix channel. The chosen commit is the
>>> + ;; first one that introduces '.guix-authorizations' on the 'core-updates'
>>> + ;; branch that was eventually merged in 'master'. Any branch starting
>>> + ;; before that commit cannot be merged or it will be rejected by 'guix pull'
>>> + ;; & co.
>>> + (make-channel-introduction
>>> + "87a40d7203a813921b3ef0805c2b46c0026d6c31"
>>> + (base16-string->bytevector
>>> + (string-downcase
>>> + (string-filter char-set:hex-digit ;mbakke
>>> + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA")))
>>> + #f)) ;TODO: Add an intro signature so it can be exported.
>>
>> The GnuPG key fingerprint is SHA1 derived, which isn't cryptographically
>> secure. This doesn't mean fingerprints are unsafe *now* (given that
>> forging a key to match it isn't currently practical),
>
> Fingerprints are used as an index in the keyring here. If somebody
> introduced a second OpenPGP key with the same fingerprint in the keyring
> and we picked the wrong one when verifying a signature, signature
> verification would just fail. So I think it’s perfectly OK here.

Agreed; thanks for pointing that out. I don't see a problem with our
use of OpenPGP either then :-).

[...]

Toggle quote (31 lines)
> The “SHA-1 is a Shambles” paper reads:
>
> The GIT developers have been working on replacing SHA-1 for a
> while[16], and they use a collision detection library [SS17] to
> mitigate the risks of collision attacks.
>
> [16] https://git-scm.com/docs/hash-function-transition/
>
> On the Fediverse, someone pointed out that Bitcoin Core developers
> compute a SHA512 hash of Git trees to mitigate it:
>
> https://github.com/bitcoin/bitcoin/tree/master/contrib/verify-commits
>
> What they do is add a “Tree-SHA512:” line to commit logs and check
> those in ‘verify-commits.py’:
>
> # Check the Tree-SHA512
> if (verify_tree or prev_commit == "") and current_commit not in incorrect_sha512_allowed:
> tree_hash = tree_sha512sum(current_commit)
> if ("Tree-SHA512: {}".format(tree_hash)) not in subprocess.check_output([GIT, 'show', '-s', '--format=format:%B', current_commit]).decode('utf8').splitlines():
> print("Tree-SHA512 did not match for commit " + current_commit, file=sys.stderr)
> sys.exit(1)
>
> We could do something similar, maybe optionally, but verification would
> be expensive (you need to traverse all the blobs of the whole tree for
> each commit being authenticated).
>
> At this point, I’d wait for Git’s SHA256 migration to happen, though
> <https://git-scm.com/docs/hash-function-transition/> doesn’t specify an
> ETA.

Thanks for pointing that interesting workaround! I agree that given
Git's plans to migrate to SHA256, it seems reasonable to wait for them
to upgrade and spend our energy somewhere else.

Your changes LGTM.

Thank you,

Maxim
L
L
Ludovic Courtès wrote on 13 Jun 2020 11:46
Download
Re: [bug#41767] [PATCH 0/9] Authenticate channels
(address . 41767@debbugs.gnu.org)
87v9jv1eo1.fsf@gnu.org
Download
Hello Guix!

Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (6 lines)
> This patch series does it! It integrates checkout authentication
> with (guix channels). Now, ‘guix pull’, ‘guix time-machine’ etc.
> automatically authenticate the commits they fetch and raise an
> error if they find an unsigned commit or a commit signed by an
> unauthorized party¹.

Last days to comment on this change! :-)

https://issues.guix.gnu.org/41767

If there are no objections by then, I’ll push on Tuesday 16th.

Ludo’.
Z
Z
zimoun wrote on 13 Jun 2020 13:42
Download
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 41767@debbugs.gnu.org)
86ftaznqeq.fsf@gmail.com
Download
Hi Ludo,

Thank you for explaining. All is clear. :-)


Toggle quote (11 lines)
>> git clone https://git.savannah.gnu.org/git/guix.git
>> git worktree add -b foo wk/foo
>> cd wk/foo
>> # add my unready stuff
>> ./pre-inst-env guix pull --branch=foo --url=$PWS -p /tmp/foo
>> /tmp/foo/bin/guix install unready-stuff
>>
>> In this case, do I have to use the option '--disable-authentication'?
>
> Yes, you can always use it.

"Qui peut le plus peut le moins." ;-)

The question is: is it mandatory?


Toggle quote (16 lines)
> Note that this patch set changes nothing for third-party channels.
> (Attentive readers will find out how to make an authenticated channel,
> but it’s undocumented and inconvenient to use.)
>
> In the future, I think ‘guix pull’ will merely print a warning when
> using an unauthenticated channel. That’s something we’ll have to
> discuss.
>
> If you want to fork an “authenticated channel”, you don’t have to keep
> it authenticated. In essence, something who writes:
>
> (channel (name 'zimoun) (url "https://zimoun.example.org"))
>
> states that they want to fetch code from your channel, but that no
> authentication will take place because there’s no ‘introduction’ field.

The root of my question is answered. :-)

And I do not know if I am an attentive reader but my concerns were about
this future discussion. So let discuss that in the future. ;-)


Thank you for this nice piece of work!

All the best,
simon

ps:
Sorry for the delay, I changed how I process emails and this message
"disappeared". And I am not sure this answer will be correctly
delivered. Sorry in advance if I mess something.
L
L
Ludovic Courtès wrote on 14 Jun 2020 15:51
Download
(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 41767@debbugs.gnu.org)
87mu55vjpz.fsf@gnu.org
Download
Hi,

zimoun <zimon.toutoune@gmail.com> skribis:

Toggle quote (15 lines)
>>> git clone https://git.savannah.gnu.org/git/guix.git
>>> git worktree add -b foo wk/foo
>>> cd wk/foo
>>> # add my unready stuff
>>> ./pre-inst-env guix pull --branch=foo --url=$PWS -p /tmp/foo
>>> /tmp/foo/bin/guix install unready-stuff
>>>
>>> In this case, do I have to use the option '--disable-authentication'?
>>
>> Yes, you can always use it.
>
> "Qui peut le plus peut le moins." ;-)
>
> The question is: is it mandatory?

If you have a local fork with unauthorized commits (for instance, you
made commits yourself and you’re not listed in ‘.guix-authorizations’)
then yes, you have to use ‘--disable-authentication’.

The alternative for you would be to publish an introduction for your
fork, which means you would be able to test which is the first commit to
authenticate.

However, this may be inconvenient for one-off forks where you just want
to test changes. In that case, ./pre-inst-env probably remains the
preferred approach.

Thanks,
Ludo’.
L
L
Ludovic Courtès wrote on 16 Jun 2020 16:22
Download
(address . 41767-done@debbugs.gnu.org)(address . 22883@debbugs.gnu.org)
87366vt7i9.fsf@gnu.org
Download
Hi,

Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (12 lines)
> git-authenticate: Cache takes a key parameter.
> git-authenticate: 'authenticate-commits' takes a #:keyring parameter.
> tests: Move OpenPGP helpers to (guix tests gnupg).
> channels: 'latest-channel-instance' authenticates Git checkouts.
> channels: Make 'validate-pull' call right after clone/pull.
> .guix-channel: Add 'keyring-reference'.
> channels: Automatically add introduction for the official 'guix'
> channel.
> pull: Add '--disable-authentication'.
> DROP? channels: Add prehistorical authorizations to
> <channel-introduction>.

Pushed!

619972f7b5 maint: "make authenticate" behaves like 'guix pull' by default.
838ac881ec time-machine: Add '--disable-authentication'.
a9eeeaa6ae pull: Add '--disable-authentication'.
c3f6f564e9 channels: Automatically add introduction for the official 'guix' channel.
a941e8fe1f .guix-channel: Add 'keyring-reference'.
5bafc70d1e channels: Make 'validate-pull' call right after clone/pull.
43badf261f channels: 'latest-channel-instance' authenticates Git checkouts.
1e2b9bf2d4 tests: Move OpenPGP helpers to (guix tests gnupg).
41946b79f1 git-authenticate: 'authenticate-commits' takes a #:keyring parameter.
a450b4343b git-authenticate: Cache takes a key parameter.

I made the following changes:

1. The introductory of the ‘guix’ channel is now
9edb3f66fd807b096b48283debdcddccfea34bad (was
87a40d7203a813921b3ef0805c2b46c0026d6c31). This is because one of
the parents of 9edb3f66fd807b096b48283debdcddccfea34bad lacks
‘.guix-authorizations’. Consider it set in stone now!

2. I added ‘--disable-authentication’ for ‘guix time-machine’ in a
extra commit (it was easier than I thought because we don’t need to
disable inferior caching).

3. In an extra commit, I made “make authenticate” behave like ‘guix
pull’ by default—i.e., assume that commits whose parent lack the
‘.guix-authorizations’ file are unauthorized. It’s still possible
to run “make authenticate GUIX_USE_HISTORICAL_AUTHORIZATIONS=yes”
to assume “historical authorizations” for those commits.

Future work includes making that mechanism available to third-party
channels, which in turn means providing a public interface for “channel
introductions” and probably a ‘guix channel’ CLI, as discussed earlier.

Let me know if you notice anything wrong!

Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 41767@debbugs.gnu.org