Re: Commit pushed to master with unauthorised signature
On 11.03.2021 20:16, Leo Famulari wrote: > On Thu, Mar 11, 2021 at 12:15:19AM +0100, Taylan Kammer wrote: >> Damn, sorry about that. I assumed of course that an improperly signed >> commit would not be accepted, so I didn't pay any special mind. > > The security model is based on the client-side, i.e. `guix pull`. That > way, we don't have to trust the Git repo. We do want to improve the repo > so that it's not possible to push commits signed with unauthorized keys, > but that hasn't been done yet. > >> However, I also assumed that adding a new GPG key to my savannah.gnu.org >> account would be sufficient. I did that via the web interface, and >> ensured that the encryption test is successful. The commit is signed >> with that new GPG key. > > Adding your key(s) to your Savannah account is a required step... > >> Are the GPG keys added to one's Savannah account unrelated to commit >> signing in the Guix repo, or are they not automatically synced, or is >> this a further bug?.. > > ... but, we have a new code authentication system, described in the > manual section Specifying Channel Authorizations: > > https://guix.gnu.org/manual/en/html_node/Specifying-Channel-Authorizations.html > > Basically, committers' keys must be added to the .guix-authorizations > file in the Git repo before their work will be accepted by `guix pull`. > > We are really happy that you are pushing code again :) > > When this issue popped up yesterday, I removed your commit access just > to avoid further broken commits. Concretely, this means that I removed > you from the Guix "group" on Savannah. > > However, I want to re-add you as a committer. Please read the manual > sections Commit Access. Especially, the part about the pre-push Git > hook, which would have caught this issue before pushing. > > https://guix.gnu.org/manual/en/html_node/Commit-Access.html > > Let me know when you've read the updated committer workflow guidelines > and installed the pre-push Git hook, and we'll add your new key to > .guix-authorizations, re-add you to the Savannah group, and then we can > continue with our happy hacking :) Thanks for the kind explanation! I'll get in touch when I'm not so out of the loop anymore. To be honest I was just "summoned" by a bug report on guile-bytestructures and am otherwise still overloaded with work life plus personal projects outside of free software. - Taylan
Re: Commit pushed to master with unauthorised signature
On 11.03.2021 15:59, Tobias Geerinckx-Rice wrote: > Taylan, > > So if I needed to send you encrypted mail, I'd have to possess all of > your current GPG keys and encrypt to all of them? Thanks for the > heads-up ;-) I'm not sure if that's how GPG is supposed to work (‘who > does’, you say? fair point). Hah, good point. Shows that I've never seriously used GPG before. :-) I'll have to get used to the idea that I need to keep around a file backed up on a physical medium that authenticates me. My whole life I've always just trusted my memory to keep safe those few passwords that can't be reset via email. - Taylan
Re: Commit pushed to master with unauthorised signature
On Thu, Mar 11, 2021 at 12:15:19AM +0100, Taylan Kammer wrote: > Damn, sorry about that. I assumed of course that an improperly signed > commit would not be accepted, so I didn't pay any special mind. The security model is based on the client-side, i.e. `guix pull`. That way, we don't have to trust the Git repo. We do want to improve the repo so that it's not possible to push commits signed with unauthorized keys, but that hasn't been done yet. > However, I also assumed that adding a new GPG key to my savannah.gnu.org > account would be sufficient. I did that via the web interface, and > ensured that the encryption test is successful. The commit is signed > with that new GPG key. Adding your key(s) to your Savannah account is a required step... > Are the GPG keys added to one's Savannah account unrelated to commit > signing in the Guix repo, or are they not automatically synced, or is > this a further bug?.. ... but, we have a new code authentication system, described in the manual section Specifying Channel Authorizations: https://guix.gnu.org/manual/en/html_node/Specifying-Channel-Authorizations.html Basically, committers' keys must be added to the .guix-authorizations file in the Git repo before their work will be accepted by `guix pull`. We are really happy that you are pushing code again :) When this issue popped up yesterday, I removed your commit access just to avoid further broken commits. Concretely, this means that I removed you from the Guix "group" on Savannah. However, I want to re-add you as a committer. Please read the manual sections Commit Access. Especially, the part about the pre-push Git hook, which would have caught this issue before pushing. https://guix.gnu.org/manual/en/html_node/Commit-Access.html Let me know when you've read the updated committer workflow guidelines and installed the pre-push Git hook, and we'll add your new key to .guix-authorizations, re-add you to the Savannah group, and then we can continue with our happy hacking :) signature.asc Description: PGP signature
Re: Commit pushed to master with unauthorised signature
Also, make sure to install the pre-push hook, it should not have let you commit without checking your commits were properly recognised. Le 11 mars 2021 08:11:38 GMT-05:00, Taylan Kammer a écrit : >On 11.03.2021 08:37, Maxime Devos wrote: >> On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote: >>> [...] >>> Damn, sorry about that. I assumed of course that an improperly >signed >>> commit would not be accepted, so I didn't pay any special mind. >>> >>> However, I also assumed that adding a new GPG key to my >savannah.gnu.org >>> account would be sufficient. >> >> "guix pull" only looks at the git repo (the .guix-authorizations file >+ the >> keyring branch), and not anything else provided by savannah. Doing >so would >> introduce an additional point where the "guix pull" mechanism could >be >> compromised. The git repository could as well have been hosted at >> $RANDOM_SPY_AGENCY or $RANDOM_FORGE. >> >> (See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’ >and >> ‘7.4 Invoking ‘guix git authenticate’’). > >Thanks, makes sense. > >I'm hopping workstations recently, and my general habit is to create >new >keys on each machine I'm using and register them where ever needed. >(E.g. .ssh/authorized_keys on machines I access, GitHub account, etc.) > >I guess I shouldn't do that with Guix push access and instead keep a >GPG >key on a USB drive or such. > > >- Taylan
Re: Commit pushed to master with unauthorised signature
Taylan, So if I needed to send you encrypted mail, I'd have to possess all of your current GPG keys and encrypt to all of them? Thanks for the heads-up ;-) I'm not sure if that's how GPG is supposed to work (‘who does’, you say? fair point). I do know that UIDs like ‘Jessie Doe (professional)’ are discouraged because people signing your key would (according to GPG logic) be vouching that you are, in fact, professional. Anyway, you still need to make sure that *all* of your keys are available on Savannah. It seems they are but they've expired. Taylan Kammer 写道: I'm hopping workstations recently, and my general habit is to create new keys on each machine I'm using and register them where ever needed. (E.g. .ssh/authorized_keys on machines I access, GitHub account, etc.) Makes good sense for SSH keys. Kind regards, T G-R signature.asc Description: PGP signature
Re: Commit pushed to master with unauthorised signature
On 11.03.2021 08:37, Maxime Devos wrote: > On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote: >> [...] >> Damn, sorry about that. I assumed of course that an improperly signed >> commit would not be accepted, so I didn't pay any special mind. >> >> However, I also assumed that adding a new GPG key to my savannah.gnu.org >> account would be sufficient. > > "guix pull" only looks at the git repo (the .guix-authorizations file + the > keyring branch), and not anything else provided by savannah. Doing so would > introduce an additional point where the "guix pull" mechanism could be > compromised. The git repository could as well have been hosted at > $RANDOM_SPY_AGENCY or $RANDOM_FORGE. > > (See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’ and > ‘7.4 Invoking ‘guix git authenticate’’). Thanks, makes sense. I'm hopping workstations recently, and my general habit is to create new keys on each machine I'm using and register them where ever needed. (E.g. .ssh/authorized_keys on machines I access, GitHub account, etc.) I guess I shouldn't do that with Guix push access and instead keep a GPG key on a USB drive or such. - Taylan
Re: Commit pushed to master with unauthorised signature
On Thu, 2021-03-11 at 00:15 +0100, Taylan Kammer wrote: > [...] > Damn, sorry about that. I assumed of course that an improperly signed > commit would not be accepted, so I didn't pay any special mind. > > However, I also assumed that adding a new GPG key to my savannah.gnu.org > account would be sufficient. "guix pull" only looks at the git repo (the .guix-authorizations file + the keyring branch), and not anything else provided by savannah. Doing so would introduce an additional point where the "guix pull" mechanism could be compromised. The git repository could as well have been hosted at $RANDOM_SPY_AGENCY or $RANDOM_FORGE. (See ‘16.8 Commit Access’, ‘6.8 Specifying Channel Authorizations’ and ‘7.4 Invoking ‘guix git authenticate’’). > Are the GPG keys added to one's Savannah account unrelated to commit > signing in the Guix repo, Yes (though they probably are same in practice). > or are they not automatically synced, Yes, they aren't. > this a further bug?.. No, savannah is not ‘trusted’ beyond being online, as that would introduce another point where "guix pull" could be compromised. Maxime. signature.asc Description: This is a digitally signed message part
Re: Commit pushed to master with unauthorised signature
On 10.03.2021 22:22, Tobias Geerinckx-Rice wrote: > Earlier today the following commit was pushed to master: > > --8<---cut here---start->8--- > commit 15092548804b6c50ea276d098f76a79bd0042398 > gpg: Signature made Wed Mar 10 19:55:39 2021 CET > gpg: using RSA key 51A0982A58B64622464833085EEB3986CB2F65ED > gpg: Good signature from "Taylan Kammer (Debian10VM) > " [unknown] > Primary key fingerprint: 51A0 982A 58B6 4622 4648 3308 5EEB 3986 CB2F 65ED > Author: Taylan Kammer > > gnu: guile-bytestructures: Update to 1.0.10. > > * gnu/packages/guile.scm (guile-bytestructures): Update to 1.0.10. > --8<---cut here---end--->8--- > > The key with fingerprint 51A0 982A 58B6 4622 4648 3308 5EEB 3986 CB2F > 65ED is not present in .guix-authorizations, nor in the ‘keyring’ > branch. This broke ‘guix pull’ for all users[0]: > > --8<---cut here---start->8--- > guix pull: error: could not authenticate commit > 15092548804b6c50ea276d098f76a79bd0042398: key 51A0 982A 58B6 4622 4648 > 3308 5EEB 3986 CB2F 65ED is missing > --8<---cut here---end--->8--- Damn, sorry about that. I assumed of course that an improperly signed commit would not be accepted, so I didn't pay any special mind. However, I also assumed that adding a new GPG key to my savannah.gnu.org account would be sufficient. I did that via the web interface, and ensured that the encryption test is successful. The commit is signed with that new GPG key. Are the GPG keys added to one's Savannah account unrelated to commit signing in the Guix repo, or are they not automatically synced, or is this a further bug?.. - Taylan
