From debbugs-submit-bounces@debbugs.gnu.org Sat Dec 28 21:45:48 2019 Received: (at 22883) by debbugs.gnu.org; 29 Dec 2019 02:45:49 +0000 Received: from localhost ([127.0.0.1]:59128 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ilOaS-0002c5-Mw for submit@debbugs.gnu.org; Sat, 28 Dec 2019 21:45:48 -0500 Received: from cascadia.aikidev.net ([173.255.214.101]:35594) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ilOaR-0002br-2m for 22883@debbugs.gnu.org; Sat, 28 Dec 2019 21:45:47 -0500 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:21:21:0:100b]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id 4C15B1AA3C; Sat, 28 Dec 2019 18:45:40 -0800 (PST) From: Vagrant Cascadian To: Ricardo Wurmus , Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#22883: Authenticating Git checkouts: step #1 In-Reply-To: <87o8vto5rl.fsf@elephly.net> References: <87io14sqoa.fsf@dustycloud.org> <87tvnemfjh.fsf@aikidev.net> <871sab7ull.fsf@gnu.org> <87zhwz6ct4.fsf@aikidev.net> <877ek364u5.fsf@gnu.org> <87mubmodfb.fsf_-_@gnu.org> <87eewqgc1v.fsf@gnu.org> <87o8vto5rl.fsf@elephly.net> Date: Sat, 28 Dec 2019 18:45:34 -0800 Message-ID: <87a77bzw6p.fsf@yucca> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 22883 Cc: 22883@debbugs.gnu.org, guix-devel@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2019-12-27, Ricardo Wurmus wrote: >> b3011dbbd2 doc: Mention "make authenticate". >> 787766ed1e git-authenticate: Keep a local cache of previously-authenti= cated commits. >> 785af04a75 git: 'commit-difference' takes a list of excluded commits. >> 1e43ab2c03 Add 'build-aux/git-authenticate.scm'. >> >> Commit 787766ed1e takes care of caching (one of the limitations I >> mentioned in my previous message). >> >> Commit b3011dbbd2 adds instructions for contributors on how to >> authenticate a checkout (copied below). It=E2=80=99s a bit bumpy so I w= ould >> very much welcome feedback and suggestions on how to improve this! > > This is great! Yes! Yes! > Thank you for the instructions. I thought I had all keys, but > apparently at least one of them is missing. =E2=80=9Cmake authenticate= =E2=80=9D fails > for me with this error: > > Throw to key `srfi-34' with args `(#)'. > > I previously downloaded the gpg keyring from Savannah: > > https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix > > Looks like Hartmut used to use a different key, which I don=E2=80=99t hav= e. I got this too, and manually worked around it by downloading guix-keyring.gpg from: https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix&down= load=3D1 And running: gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/guix.= kbx --import ~/guix-keyring.gpg It seems to be working now... how is the keyring *supposed* to be populated? Before I manually imported guix-keyring.gpg into guix.kbx, there were a very small number of keys present. It's a little awkward that it uses the fingerprint of the signing key rather than the primary key, as by default things like "gpg --list-keys" do not display the fingerprint of signing keys, only the primary key, so it is an adventure in gpg commandline options to correlate them. "gpg log --show-signature" also reports the the primary key fingerprint, if the key is available in the keyring, and only the subkey fingerprint for unknown keys if I remember correctly. It would be nice if the statistics would display the primary uid instead, as it is something a little more human readable, and the primary key fingerprint, as it is a little easier to find. :) I'm hoping the eventual goal is to integrate this into guix pull? Very nice to see progress on this issue! live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCXggTTgAKCRDcUY/If5cW qrIgAQCYAiX3kvfC2ArneJQIxY9cVyHAj37e09R2Tj7kCG6HngEApLr9wyBNN7ov 03cuGuSfLjJgYM9vkRSuoD8qIYqeVwo= =/KWb -----END PGP SIGNATURE----- --=-=-=--