Hello, Here's a small patch to (guix git) so that cloning/fetching from ssh authenticated repositories is supported using ssh agent.
I tested: * guix pull --url=g...@gitlab.com:mothacehe/private.git * guix pull with the following channel configuration --8<---------------cut here---------------start------------->8--- (cons* (channel (name 'gitlab) (url "g...@gitlab.com:mothacehe/test-channel.git")) %default-channels) --8<---------------cut here---------------end--------------->8--- This works fine, but we still need to see how it works for Cuirass inputs and (guix git-download) module. Mathieu
>From ae380c15f1c37e2c94e0954975f5f712e76340ac Mon Sep 17 00:00:00 2001 From: Mathieu Othacehe <m.othac...@gmail.com> Date: Mon, 3 Feb 2020 18:05:02 +0100 Subject: [PATCH] git: Add ssh authentication support. SSH agent authentication method is used. * guix/git.scm (auth-method): New variable, (clone*): pass previous variable in clone options, (update-cached-checkout): pass previous variable in fetch options. --- guix/git.scm | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/guix/git.scm b/guix/git.scm index a12f1eec8e..aee7b325e0 100644 --- a/guix/git.scm +++ b/guix/git.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2017 Mathieu Othacehe <m.othac...@gmail.com> +;;; Copyright © 2017, 2020 Mathieu Othacehe <m.othac...@gmail.com> ;;; Copyright © 2018, 2019, 2020 Ludovic Courtès <l...@gnu.org> ;;; ;;; This file is part of GNU Guix. @@ -108,6 +108,9 @@ the 'SSL_CERT_FILE' and 'SSL_CERT_DIR' environment variables." (string-append "R:" url) url)))))) +;; Default authentication method. +(define auth-method (%make-auth-ssh-agent)) + (define (clone* url directory) "Clone git repository at URL into DIRECTORY. Upon failure, make sure no empty directory is left behind." @@ -119,7 +122,9 @@ make sure no empty directory is left behind." ;; value in Guile-Git: <https://bugs.gnu.org/29238>. (if (module-defined? (resolve-interface '(git)) 'clone-init-options) - (clone url directory (clone-init-options)) + (clone url directory + (make-clone-options + #:fetch-options (make-fetch-options auth-method))) (clone url directory))) (lambda _ (false-if-exception (rmdir directory))))) @@ -281,7 +286,8 @@ When RECURSIVE? is true, check out submodules as well, if any." ;; Only fetch remote if it has not been cloned just before. (when (and cache-exists? (not (reference-available? repository ref))) - (remote-fetch (remote-lookup repository "origin"))) + (remote-fetch (remote-lookup repository "origin") + #:fetch-options (make-fetch-options auth-method))) (when recursive? (update-submodules repository #:log-port log-port)) (let ((oid (switch-to-ref repository canonical-ref))) -- 2.25.0
Ludovic Courtès writes: > Hey ho! > > Clément Lassieur <clem...@lassieur.org> skribis: > >> Whoo, nice, thank you so much Mathieu! I'll test everything this >> week-end probably, and start working on the (guix git) / Cuirass >> counterpart (which is 1% of the work :D). > > Neat! > >>> So "latest-repository-commit" could be call with ssh authentication >>> parameters. However, the guix-daemon won't be able to communicate with the >>> user ssh-agent, and storing an unencrypted private ssh key in the store >>> doesn't feel great to me. >>> >>> Do you see any workaround? >> >> As far as I understand, LATEST-REPOSITORY-COMMIT is never called by the >> daemon, it downloads stuff first and then calls ADD-TO-STORE. So both >> using the SSH agent or passing a private SSH key should be >> straightforward. > > Indeed. ‘guix pull --url’ and ‘guix build --with-git-url’ (and similar) > should work just fine. > > Thanks! > > Ludo’.