guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bug#22883: Authenticating Git checkouts: step #1

From: Ludovic Courtès
Subject: Re: bug#22883: Authenticating Git checkouts: step #1
Date: Mon, 30 Dec 2019 22:29:35 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) 
Hello!

Vagrant Cascadian <address@hidden> skribis:

> On 2019-12-27, Ricardo Wurmus wrote:

[...]

>> Thank you for the instructions.  I thought I had all keys, but
>> apparently at least one of them is missing.  “make authenticate” fails
>> for me with this error:
>>
>> Throw to key `srfi-34' with args `(#<condition &message [message: "could not 
>> authenticate commit b291c9570d5a27b11472df3df61cef9ed012241b: key 
>> B943509D633E80DD27FC4EED634A8DFFD3F631DF is missing"] 7f70fb08c240>)'.
>>
>> I previously downloaded the gpg keyring from Savannah:
>>
>>     https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix
>>
>> Looks like Hartmut used to use a different key, which I don’t have.
>
> I got this too, and manually worked around it by downloading
> guix-keyring.gpg from:
>
>   
> https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1
>
> And running:
>
>   gpg --no-default-keyring --keyring 
> ~/.config/guix/keyrings/channels/guix.kbx --import ~/guix-keyring.gpg
>
> It seems to be working now... how is the keyring *supposed* to be
> populated? Before I manually imported guix-keyring.gpg into guix.kbx,
> there were a very small number of keys present.

By default, the script currently automatically downloads keys from
keyserver into ~/.config/…/guix.kbx: see ‘gnupg-verify*’ in (guix
gnupg).  This is unreliable and rather undesirable, so the real solution
will be to have the keyring in the repo.

> It's a little awkward that it uses the fingerprint of the signing key
> rather than the primary key, as by default things like "gpg --list-keys"
> do not display the fingerprint of signing keys, only the primary key, so
> it is an adventure in gpg commandline options to correlate them.
>
> "gpg log --show-signature" also reports the the primary key fingerprint,
> if the key is available in the keyring, and only the subkey fingerprint
> for unknown keys if I remember correctly.

Yeah, well.  Apparently ‘gpgv --status-fd’ reports the fingerprint of
the subkey, not that of the primary key, which is why we’re storing the
fingerprint of the subkey.

I think it actually makes sense, but I wonder why ‘gpg’ makes it so hard
to see the fingerprint of subkeys.

> It would be nice if the statistics would display the primary uid
> instead, as it is something a little more human readable, and the
> primary key fingerprint, as it is a little easier to find. :)

Ah, true!

> I'm hoping the eventual goal is to integrate this into guix pull?

Of course!

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]