From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 31 14:16:44 2019 Received: (at 22883) by debbugs.gnu.org; 31 Dec 2019 19:16:44 +0000 Received: from localhost ([127.0.0.1]:35122 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1imN0W-0007MR-Ha for submit@debbugs.gnu.org; Tue, 31 Dec 2019 14:16:44 -0500 Received: from pat.zlotemysli.pl ([37.59.186.212]:52770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1imN0U-0007MI-Mg for 22883@debbugs.gnu.org; Tue, 31 Dec 2019 14:16:43 -0500 Received: (qmail 17034 invoked by uid 1009); 31 Dec 2019 20:16:40 +0100 Received: from 188.123.215.55 (kuba@kadziolka.net@188.123.215.55) by pat (envelope-from , uid 1002) with qmail-scanner-2.08st (clamdscan: 0.98.6/25679. spamassassin: 3.4.0. perlscan: 2.08st. Clear:RC:1(188.123.215.55):. Processed in 0.023521 secs); 31 Dec 2019 19:16:40 -0000 Received: from unknown (HELO zdrowyportier.kadziolka.net) (kuba@kadziolka.net@188.123.215.55) by pat.zlotemysli.pl with SMTP; 31 Dec 2019 20:16:40 +0100 Date: Tue, 31 Dec 2019 20:16:39 +0100 From: Jakub =?utf-8?B?S8SFZHppb8WCa2E=?= To: 22883@debbugs.gnu.org Subject: Re: bug#22883: Authenticating Git checkouts: step #1 Message-ID: <20191231191639.s2o4ycysloj4kwb5@zdrowyportier.kadziolka.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 22883 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Guix! Ludovic Courtès wrote: > --8<---------------cut here---------------start------------->8--- > If you want to hack Guix itself, it is recommended to use the latest > version from the Git repository: > > git clone https://git.savannah.gnu.org/git/guix.git > > How do you ensure that you obtained a genuine copy of the repository? > Guix itself provides a tool to “authenticate” your checkout, but you > must first make sure this tool is genuine in order to “bootstrap” the > trust chain. To do that, run: > > git verify-commit `git log --format=%H build-aux/git-authenticate.scm` > > The output must look something like: > > gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET > gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 > ... > gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET > gpg: using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5 > ... > > ... meaning that changes to this file are all signed with key > ‘3CE464558A84FDC69DB40CFB090B11993D9AEBB5’ (you may need to fetch this > key from a key server, if you have not done it yet). > > From there on, you can authenticate all the commits included in your > checkout by running: > > make authenticate > > The first run takes a couple of minutes, but subsequent runs are > faster. > > Note: You are advised to run ‘make authenticate’ after every ‘git > pull’ invocation. This ensures you keep receiving valid changes to > the repository > --8<---------------cut here---------------end--------------->8--- Sadly, these instructions don't work from a fresh clone. There is only Makefile.am and no Makefile itself, so you get $ make authenticate make: *** No rule to make target 'authenticate'. Stop. Moreover, I don't think running 'make authenticate' after 'git pull' would really work -- after you pulled, git-authenticate could've been modified, so the verify-commit you did earlier doesn't apply anymore. There's also the issue of trusting pre-inst-env, which is used to run the verification. Should that be passed to 'git log --format=%H' next to git-authenticate.scm? This also applies to any scripts you use to drive this process, like the Makefile. Regards, Kuba