GNU bug report logs - #22883
Trustable "guix pull"

Previous Next

Package: guix;

Reported by: Christopher Allan Webber <cwebber <at> dustycloud.org>

Date: Wed, 2 Mar 2016 18:05:02 UTC

Severity: serious

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Jakub Kądziołka <kuba <at> kadziolka.net>
To: 22883 <at> debbugs.gnu.org
Subject: bug#22883: Authenticating Git checkouts: step #1
Date: Tue, 31 Dec 2019 20:16:39 +0100

Hi Guix!

Ludovic Courtès wrote:
> --8<---------------cut here---------------start------------->8---
> If you want to hack Guix itself, it is recommended to use the latest
> version from the Git repository:
> 
>      git clone https://git.savannah.gnu.org/git/guix.git
> 
>    How do you ensure that you obtained a genuine copy of the repository?
> Guix itself provides a tool to “authenticate” your checkout, but you
> must first make sure this tool is genuine in order to “bootstrap” the
> trust chain.  To do that, run:
> 
>      git verify-commit `git log --format=%H build-aux/git-authenticate.scm`
> 
>    The output must look something like:
> 
>      gpg: Signature made Fri 27 Dec 2019 01:27:41 PM CET
>      gpg:                using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
>      ...
>      gpg: Signature made Fri 27 Dec 2019 01:25:22 PM CET
>      gpg:                using RSA key 3CE464558A84FDC69DB40CFB090B11993D9AEBB5
>      ...
> 
> ...  meaning that changes to this file are all signed with key
> ‘3CE464558A84FDC69DB40CFB090B11993D9AEBB5’ (you may need to fetch this
> key from a key server, if you have not done it yet).
> 
>    From there on, you can authenticate all the commits included in your
> checkout by running:
> 
>      make authenticate
> 
>    The first run takes a couple of minutes, but subsequent runs are
> faster.
> 
>      Note: You are advised to run ‘make authenticate’ after every ‘git
>      pull’ invocation.  This ensures you keep receiving valid changes to
>      the repository
> --8<---------------cut here---------------end--------------->8---

Sadly, these instructions don't work from a fresh clone. There is only
Makefile.am and no Makefile itself, so you get

$ make authenticate
make: *** No rule to make target 'authenticate'.  Stop.

Moreover, I don't think running 'make authenticate' after 'git pull'
would really work -- after you pulled, git-authenticate could've been
modified, so the verify-commit you did earlier doesn't apply anymore.

There's also the issue of trusting pre-inst-env, which is used to run
the verification. Should that be passed to 'git log --format=%H' next to
git-authenticate.scm? This also applies to any scripts you use to drive
this process, like the Makefile.

Regards,
Kuba
This bug report was last modified 5 years and 53 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.