From unknown Sat Aug 16 16:56:41 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#70818] [PATCH] maint: Suggest =?UTF-8?Q?=E2=80=98guix?= git =?UTF-8?Q?authenticate=E2=80=99?= for initial authentication. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: pelzflorian@pelzflorian.de, ludo@gnu.org, guix-patches@gnu.org Resent-Date: Tue, 07 May 2024 14:15:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 70818 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 70818@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , guix-security@gnu.org, Skyler Ferris , Florian Pelz , Ludovic =?UTF-8?Q?Court=C3=A8s?= X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: Florian Pelz , Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by submit@debbugs.gnu.org id=B.171509125330783 (code B ref -1); Tue, 07 May 2024 14:15:01 +0000 Received: (at submit) by debbugs.gnu.org; 7 May 2024 14:14:13 +0000 Received: from localhost ([127.0.0.1]:42915 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s4La8-00080R-VZ for submit@debbugs.gnu.org; Tue, 07 May 2024 10:14:13 -0400 Received: from lists.gnu.org ([2001:470:142::17]:50764) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s4La3-00080K-W6 for submit@debbugs.gnu.org; Tue, 07 May 2024 10:14:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s4LZZ-0006wT-0x; Tue, 07 May 2024 10:13:37 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s4LZX-0002nB-Rz; Tue, 07 May 2024 10:13:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=kF2LEghWnj69MIrnkn0ddSVDTJKZeS/EUGdaWDvVRGM=; b=iu4aXB685XdR/b LU6aja2fEGT4L+lNcuvCuw/G2GDoUZcSepcrngEzKuvEgIoSTz/OEtbxKuImC8qPl0/qtqwHflQrd 8wYt3+NhL0FgqRuGeagnpRHPX3PljMYsp1QDfaVwjf19mhX9H6lJ+u0EWs0SaAA8fWDeL1ZEZ7VQD 5BQKfzo9QgkqjhuTlVIRDtea5VKBjAdP1Wkk9CVnMI0XYObYLc+4bzwPya4qsznn5+MbtvD3Dm8xV ge/iETsyRbR+HW+Pue1sWeM/xcxWhU8WzfYmFinpjl94qSXL3bWQ5JNMInAIeWunQy0ByRu70jIsg f1KHfEg2c4PrR8bjpjmA==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Tue, 7 May 2024 16:13:27 +0200 Message-ID: <35c1e4eead584b9e24d3efc3638d6da4fd24cf8d.1715091056.git.ludo@gnu.org> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) The previous recommendation, running ‘make authenticate’, was insecure because it led users to run code from the very repository they want to authenticate: https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00252.html * Makefile.am (commit_v1_0_0, channel_intro_commit) (channel_intro_signer, GUIX_GIT_KEYRING, authenticate): Remove. * Makefile.am (.git/hooks/%): New target, generalization of previous ‘.git/hooks/pre-push’ target. (nodist_noinst_DATA): Add ‘.git/hooks/post-merge’. * doc/contributing.texi (Building from Git): Suggest ‘guix git authenticate’ instead of ‘make authenticate’. * etc/git/post-merge: New file. * etc/git/pre-push: Run ‘guix git authenticate’ instead of ‘make authenticate’. Reported-by: Skyler Ferris Change-Id: Ia415aa8375013d0dd095e891116f6ce841d93efd --- Makefile.am | 30 +++++++++--------------------- doc/contributing.texi | 29 ++++++++++++++++++++++------- etc/git/post-merge | 3 +++ etc/git/pre-push | 4 +++- 4 files changed, 37 insertions(+), 29 deletions(-) create mode 100755 etc/git/post-merge Hello there! This addresses the security issue Skyler reported regarding ‘make authenticate’, basically removing the makefile target and adjusting documentation accordingly. It also adds a ‘post-merge’ hook like ‘guix git authenticate’ now does. This assumes users have a (very) recent ‘guix git authenticate’ command, but I think that’s acceptable because this targets an audience of developers. Thoughts? Ludo’. diff --git a/Makefile.am b/Makefile.am index 77c05ff63b7..d1d953b8923 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2012-2023 Ludovic Courtès +# Copyright © 2012-2024 Ludovic Courtès # Copyright © 2013 Andreas Enge # Copyright © 2015, 2017 Alex Kost # Copyright © 2016, 2018 Mathieu Lirzin @@ -895,22 +895,6 @@ $(guix_install_go_files): install-nobase_dist_guilemoduleDATA install-data-hook: touch "$(DESTDIR)$(guileobjectdir)/guix/config.go" -# Commit corresponding to the 'v1.0.0' tag. -commit_v1_0_0 = 6298c3ffd9654d3231a6f25390b056483e8f407c - -# Introduction of the 'guix' channel. Keep in sync with (guix channels)! -channel_intro_commit = 9edb3f66fd807b096b48283debdcddccfea34bad -channel_intro_signer = BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA - -# Authenticate the current Git checkout by checking signatures on every commit. -GUIX_GIT_KEYRING = origin/keyring -authenticate: - $(AM_V_at)echo "Authenticating Git checkout..." ; \ - guix git authenticate \ - --keyring=$(GUIX_GIT_KEYRING) \ - --cache-key=channels/guix --stats \ - "$(channel_intro_commit)" "$(channel_intro_signer)" - # Assuming Guix is already installed and the daemon is up and running, this # rule builds from $(srcdir), creating and building derivations. as-derivation: @@ -1227,13 +1211,13 @@ cuirass-jobs: $(GOBJECTS) .PHONY: gen-ChangeLog gen-AUTHORS gen-tarball-version .PHONY: assert-no-store-file-names assert-binaries-available .PHONY: assert-final-inputs-self-contained check-channel-news -.PHONY: clean-go make-go as-derivation authenticate +.PHONY: clean-go make-go as-derivation .PHONY: update-guix-package update-NEWS cuirass-jobs release # Git auto-configuration. -.git/hooks/pre-push: etc/git/pre-push +.git/hooks/%: etc/git/% $(AM_V_at)if test -d .git; then \ - cp etc/git/pre-push .git/hooks/pre-push; \ + cp "$<" "$@"; \ fi .git/config: etc/git/gitconfig @@ -1256,7 +1240,11 @@ COMMIT_MSG_MAGIC = VGhpcyBpcyB0aGUgY29tbWl0LW1zZyBob29rIG9mIEd1aXg= # from a tarball. Do not add dependencies on these to *_DATA when building # from a tarball, as that breaks the build. if in_git_p -nodist_noinst_DATA = .git/hooks/pre-push .git/config .git/hooks/commit-msg +nodist_noinst_DATA = \ + .git/hooks/pre-push \ + .git/hooks/post-merge \ + .git/config \ + .git/hooks/commit-msg endif # Downloading up-to-date PO files. diff --git a/doc/contributing.texi b/doc/contributing.texi index 66f4e86d0a9..0005c846dc1 100644 --- a/doc/contributing.texi +++ b/doc/contributing.texi @@ -276,25 +276,40 @@ Building from Git checkout by running: @example -make authenticate +guix git authenticate \ + 9edb3f66fd807b096b48283debdcddccfea34bad \ + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA" @end example The first run takes a couple of minutes, but subsequent runs are faster. +On subsequent runs, you can run the command without any arguments since +the @dfn{introduction} (the commit ID and OpenPGP fingerprints above) +will have been recorded@footnote{This requires a recent version of Guix, +from May 2024 or more recent.}: -Or, when your configuration for your local Git repository doesn't match +@example +guix git authenticate +@end example + +When your configuration for your local Git repository doesn't match the default one, you can provide the reference for the @code{keyring} -branch through the variable @code{GUIX_GIT_KEYRING}. The following +branch @i{via} the @option{-k} option. The following example assumes that you have a Git remote called @samp{myremote} pointing to the official repository: @example -make authenticate GUIX_GIT_KEYRING=myremote/keyring +guix git authenticate \ + -k myremote/keyring \ + 9edb3f66fd807b096b48283debdcddccfea34bad \ + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA" @end example +@xref{Invoking guix git authenticate}, for more information on this +command. + @quotation Note -You are advised to run @command{make authenticate} after every -@command{git pull} invocation. This ensures you keep receiving valid -changes to the repository. +By default, hooks installed such that @command{guix git authenticate} is +invoked anytime you run @command{git pull} or @command{git push}. @end quotation After updating the repository, @command{make} might fail with an error diff --git a/etc/git/post-merge b/etc/git/post-merge new file mode 100755 index 00000000000..f2ad37d35c4 --- /dev/null +++ b/etc/git/post-merge @@ -0,0 +1,3 @@ +#!/bin/sh +# Authenticate the repo upon 'git pull' and similar. +exec guix git authenticate diff --git a/etc/git/pre-push b/etc/git/pre-push index 59671b0d583..325b23854bb 100755 --- a/etc/git/pre-push +++ b/etc/git/pre-push @@ -32,7 +32,9 @@ do # Only use the hook when pushing to Savannah. case "$2" in *.gnu.org*) - exec make authenticate check-channel-news + set -e + make check-channel-news + exec guix git authenticate exit 127 ;; *) base-commit: 014875b29e68da6357a5323e6dd1eaa74a05b753 -- 2.41.0 From unknown Sat Aug 16 16:56:41 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#70818] [PATCH] maint: Suggest =?UTF-8?Q?=E2=80=98guix?= git =?UTF-8?Q?authenticate=E2=80=99?= for initial authentication. Resent-From: "pelzflorian (Florian Pelz)" Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 14 May 2024 10:10:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70818 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 70818@debbugs.gnu.org, Skyler Ferris , guix-security@gnu.org Received: via spool by 70818-submit@debbugs.gnu.org id=B70818.171568134221609 (code B ref 70818); Tue, 14 May 2024 10:10:01 +0000 Received: (at 70818) by debbugs.gnu.org; 14 May 2024 10:09:02 +0000 Received: from localhost ([127.0.0.1]:38361 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6p5h-0005cC-H7 for submit@debbugs.gnu.org; Tue, 14 May 2024 06:09:02 -0400 Received: from relay.yourmailgateway.de ([188.68.63.170]:37667) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s6p5b-0005c6-36 for 70818@debbugs.gnu.org; Tue, 14 May 2024 06:08:59 -0400 Received: from mors-relay8203.netcup.net (localhost [127.0.0.1]) by mors-relay8203.netcup.net (Postfix) with ESMTPS id 4VdsWm4sHLz8bT4; Tue, 14 May 2024 10:08:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pelzflorian.de; s=key2; t=1715681332; bh=B8BzqBGv6q/1oGrE9ZZBzqN5zmMUVrgyweC/ZrB82Eo=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=lVGN8gFaBv8tW5fD1nQS6x/cz1Lsbuzr5pF32HV4UNRyUk20NApVyCaNVxJxsVQ0a gWYo1hlGDUkXr1x0wXDtYz4eplf9ppczSy+1g+n85ZJXMnD6Bw6TYFVkLn5BJWwQ/v gopReDTEb6xjZoofzAbSbYUmagSgf1CTLXCNkuCuLNZ8Zde8ZprCTu8yT2D2/k9vvU xuR+/McrmiJd12lWY4KB/9XYG8w8FpduNwvJw5ZEcXttkqD9OVhyo5bwL6g9qYIUIu ttDRZMpmQOVgHbicn1XhrJsO8n+fm0TA0Ijfc1XvDHADhoxNvgBkXRWlBiWITffDnF 50KDIZIZ8MaOQ== Received: from policy02-mors.netcup.net (unknown [46.38.225.35]) by mors-relay8203.netcup.net (Postfix) with ESMTPS id 4VdsWm47qDz8bNw; Tue, 14 May 2024 10:08:52 +0000 (UTC) Received: from mxe217.netcup.net (unknown [10.243.12.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by policy02-mors.netcup.net (Postfix) with ESMTPS id 4VdsWm1fXqz8svH; Tue, 14 May 2024 12:08:52 +0200 (CEST) Received: from florianrock64 (ipb2186896.dynamic.kabel-deutschland.de [178.24.104.150]) by mxe217.netcup.net (Postfix) with ESMTPSA id 9BAC583B8B; Tue, 14 May 2024 12:08:44 +0200 (CEST) From: "pelzflorian (Florian Pelz)" In-Reply-To: <35c1e4eead584b9e24d3efc3638d6da4fd24cf8d.1715091056.git.ludo@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Tue, 7 May 2024 16:13:27 +0200") References: <35c1e4eead584b9e24d3efc3638d6da4fd24cf8d.1715091056.git.ludo@gnu.org> Date: Tue, 14 May 2024 12:08:42 +0200 Message-ID: <87cyposo2d.fsf@pelzflorian.de> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 9BAC583B8B X-Rspamd-Server: rspamd-worker-8404 X-NC-CID: 4BXxkHp7CIWxt4PUgz+bq+wRufWDYGQJQZmcuhjZYFkX8RxDs2ZWnkDQ X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Thank you Ludo for this careful implementation. I find One typo: Ludovic Court=C3=A8s writes: > diff --git a/doc/contributing.texi b/doc/contributing.texi > index 66f4e86d0a9..0005c846dc1 100644 > --- a/doc/contributing.texi > +++ b/doc/contributing.texi > @@ -276,25 +276,40 @@ Building from Git > [=E2=80=A6] > @quotation Note > -You are advised to run @command{make authenticate} after every > -@command{git pull} invocation. This ensures you keep receiving valid > -changes to the repository. > +By default, hooks installed such that @command{guix git authenticate} is > +invoked anytime you run @command{git pull} or @command{git push}. > @end quotation >=20=20 > After updating the repository, @command{make} might fail with an error By default, hooks *are* Regards, Florian From unknown Sat Aug 16 16:56:41 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#70818] [PATCH] maint: Suggest =?UTF-8?Q?=E2=80=98guix?= git =?UTF-8?Q?authenticate=E2=80=99?= for initial authentication. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 23 May 2024 00:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 70818 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 70818@debbugs.gnu.org, Florian Pelz , Skyler Ferris , guix-security@gnu.org Received: via spool by 70818-submit@debbugs.gnu.org id=B70818.171642579415308 (code B ref 70818); Thu, 23 May 2024 00:57:02 +0000 Received: (at 70818) by debbugs.gnu.org; 23 May 2024 00:56:34 +0000 Received: from localhost ([127.0.0.1]:58284 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s9wl0-0003yq-7n for submit@debbugs.gnu.org; Wed, 22 May 2024 20:56:34 -0400 Received: from mail-qt1-f169.google.com ([209.85.160.169]:56784) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s9wkw-0003yk-Gz for 70818@debbugs.gnu.org; Wed, 22 May 2024 20:56:32 -0400 Received: by mail-qt1-f169.google.com with SMTP id d75a77b69052e-43df44ef2f9so34683531cf.1 for <70818@debbugs.gnu.org>; Wed, 22 May 2024 17:56:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716425719; x=1717030519; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UP6utgkWJ9uFfVsZKO/GV3qON924w8HT0I3+8rdH8l8=; b=KmZyLCWmXoKdPIkpGQirxl5mJgI/AvKku6o/ir4ajH+7Mwj0Og7weJI+TSGyNidpJ1 sSjXuClxpy5RCVMR8R3KEuhM/Zp1vDyXcCgtca9TQwjrEePQLfGjsyTg7BYpaoWCudd9 I00uZGRUmOTfc7+4CscZc6xvZ3+D1ammctzoHJgfC/yz273atgP2xJ+6R4PSzIwWnFOE +y/5/OTC8b904DWERk2lMJsUI00Y2t+01SIDsNS798ruOFxOXOmbfZNqlj+pMwtw4235 X6Ae48N3S6LkfD5WbMjZiS9XcRCAIKV50GuexVyyUkFrKxn4XCapRVEDP+HfKidEM1t2 Os8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716425719; x=1717030519; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=UP6utgkWJ9uFfVsZKO/GV3qON924w8HT0I3+8rdH8l8=; b=no8/WCxnCcsmWUVnR/aEPJFii9hPYn5/zkhA/fE5uL955/Y1Hb1RUJHntDGU50L25s xGxcvO5tpL2XIn4MFjbuaf60wUjqJvhG/cOH8QTsUW4kU2vJk6c9YxDQzcNEs1oVJP4M CMC/Gx8q4lxL33tTK0SWd1MEzvfkzFJ2tHwK1g5S6xHfjypQBs+Igk47beHrTW89RNQI yRFXJVJWBVOxCdkQlDal8+L7+nRrDHyVEgPVCbeIY1CyK/48aXlGFi2AgZLSFo/nmNxN hYkN8Q1DR6o4ACXny/XyYBwdcNKR3zYVHK61MYJxlYZsaYXSgrquJ/l2oUsyMKc+W5Iq Lk2A== X-Gm-Message-State: AOJu0Yw+6ASQBvfL9j7xQIkq5wto6nLxQq0XzObf85N7dJZ75oylzp2q ARDjRjda9W1HCNqU50qtmAnSVse08ZVBh7t9d2BQSgcFlotDo/cA X-Google-Smtp-Source: AGHT+IGqxwEpiWu3oZtVh5HiMwaJYj0BAKLHIANsIhzfjJqke8vBK9MsD33cvxww8ji+mhBDVwVFzA== X-Received: by 2002:a05:622a:206:b0:43d:f946:faed with SMTP id d75a77b69052e-43f9e0ca56emr40607401cf.26.1716425718610; Wed, 22 May 2024 17:55:18 -0700 (PDT) Received: from hurd (dsl-148-133.b2b2c.ca. [66.158.148.133]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-43f8a9dc820sm43864261cf.71.2024.05.22.17.55.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 May 2024 17:55:18 -0700 (PDT) From: Maxim Cournoyer In-Reply-To: <35c1e4eead584b9e24d3efc3638d6da4fd24cf8d.1715091056.git.ludo@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Tue, 7 May 2024 16:13:27 +0200") References: <35c1e4eead584b9e24d3efc3638d6da4fd24cf8d.1715091056.git.ludo@gnu.org> Date: Wed, 22 May 2024 20:55:16 -0400 Message-ID: <877cfl2vpn.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi! Ludovic Court=C3=A8s writes: > The previous recommendation, running =E2=80=98make authenticate=E2=80=99,= was insecure > because it led users to run code from the very repository they want to > authenticate: > > https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00252.html > > * Makefile.am (commit_v1_0_0, channel_intro_commit) > (channel_intro_signer, GUIX_GIT_KEYRING, authenticate): Remove. > * Makefile.am (.git/hooks/%): New target, generalization of previous > =E2=80=98.git/hooks/pre-push=E2=80=99 target. > (nodist_noinst_DATA): Add =E2=80=98.git/hooks/post-merge=E2=80=99. > * doc/contributing.texi (Building from Git): Suggest =E2=80=98guix git > authenticate=E2=80=99 instead of =E2=80=98make authenticate=E2=80=99. > * etc/git/post-merge: New file. > * etc/git/pre-push: Run =E2=80=98guix git authenticate=E2=80=99 instead o= f =E2=80=98make > authenticate=E2=80=99. > > Reported-by: Skyler Ferris > Change-Id: Ia415aa8375013d0dd095e891116f6ce841d93efd Reviewed-by: Maxim Cournoyer (taking into account the typo spotted by Florian). Thank you for addressing this! --=20 Thanks, Maxim From unknown Sat Aug 16 16:56:41 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#70818: closed (Re: [bug#70818] [PATCH] maint: Suggest =?UTF-8?Q?=E2=80=98guix?= git =?UTF-8?Q?authenticate=E2=80=99?= for initial authentication.) Message-ID: References: <87wmniyno9.fsf@gnu.org> <35c1e4eead584b9e24d3efc3638d6da4fd24cf8d.1715091056.git.ludo@gnu.org> X-Gnu-PR-Message: they-closed 70818 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 70818@debbugs.gnu.org Date: Sat, 25 May 2024 14:25:03 +0000 Content-Type: multipart/mixed; boundary="----------=_1716647103-4272-1" This is a multi-part message in MIME format... ------------=_1716647103-4272-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #70818: [PATCH] maint: Suggest =E2=80=98guix git authenticate=E2=80=99 for = initial authentication. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 70818@debbugs.gnu.org. --=20 70818: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D70818 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1716647103-4272-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 70818-done) by debbugs.gnu.org; 25 May 2024 14:25:02 +0000 Received: from localhost ([127.0.0.1]:43732 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sAsKT-00016U-Kx for submit@debbugs.gnu.org; Sat, 25 May 2024 10:25:02 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54480) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sAsKM-00015W-7P for 70818-done@debbugs.gnu.org; Sat, 25 May 2024 10:24:55 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sAsK8-0005Gs-Ux; Sat, 25 May 2024 10:24:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=yFAsvvFracVLnhAnvo4aGoHo9uYHN7nWYOa/I3zFlDs=; b=Y0PANvJ+XqkMJmZCT1xt lgBoyDKSOhcy7O0aCeli8K0TUhYXgNVckKXddaaV3ri3cTWHmZd0/ZslVWHp0qZ9MuPbMiipqIYRM Ne9naHotN9y5J7Ph9YkkKCh4oHHPISO97VzNFLnT80X0q1Tztk8M5PbD1q+JRF7bKuTEYYek6DhTa oMJLuBJ6VbDcH3c9cirfFYymxZZjXyuUfZL+tZL9A15+QLWUvSdQJC5zg4ikuICpeYQGj/uhJQ3Rq aEFOy8AU53O4QkDuvCVhZ8fDFIL6ZJY7wv8yu+DvXQumUv+ky28OrmgsY6m+NAsymu92s0adSFZIM 6OaPEhPP8ctjWA==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxim Cournoyer Subject: Re: [bug#70818] [PATCH] maint: Suggest =?utf-8?Q?=E2=80=98guix?= git =?utf-8?Q?authenticate=E2=80=99?= for initial authentication. In-Reply-To: <877cfl2vpn.fsf@gmail.com> (Maxim Cournoyer's message of "Wed, 22 May 2024 20:55:16 -0400") References: <35c1e4eead584b9e24d3efc3638d6da4fd24cf8d.1715091056.git.ludo@gnu.org> <877cfl2vpn.fsf@gmail.com> Date: Sat, 25 May 2024 16:24:38 +0200 Message-ID: <87wmniyno9.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 70818-done Cc: guix-security@gnu.org, Skyler Ferris , 70818-done@debbugs.gnu.org, Florian Pelz X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Maxim Cournoyer skribis: > Ludovic Court=C3=A8s writes: > >> The previous recommendation, running =E2=80=98make authenticate=E2=80=99= , was insecure >> because it led users to run code from the very repository they want to >> authenticate: >> >> https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00252.html >> >> * Makefile.am (commit_v1_0_0, channel_intro_commit) >> (channel_intro_signer, GUIX_GIT_KEYRING, authenticate): Remove. >> * Makefile.am (.git/hooks/%): New target, generalization of previous >> =E2=80=98.git/hooks/pre-push=E2=80=99 target. >> (nodist_noinst_DATA): Add =E2=80=98.git/hooks/post-merge=E2=80=99. >> * doc/contributing.texi (Building from Git): Suggest =E2=80=98guix git >> authenticate=E2=80=99 instead of =E2=80=98make authenticate=E2=80=99. >> * etc/git/post-merge: New file. >> * etc/git/pre-push: Run =E2=80=98guix git authenticate=E2=80=99 instead = of =E2=80=98make >> authenticate=E2=80=99. >> >> Reported-by: Skyler Ferris >> Change-Id: Ia415aa8375013d0dd095e891116f6ce841d93efd > > Reviewed-by: Maxim Cournoyer > > (taking into account the typo spotted by Florian). I fixed the typo and applied it, thanks! Ludo=E2=80=99. ------------=_1716647103-4272-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 7 May 2024 14:14:13 +0000 Received: from localhost ([127.0.0.1]:42915 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s4La8-00080R-VZ for submit@debbugs.gnu.org; Tue, 07 May 2024 10:14:13 -0400 Received: from lists.gnu.org ([2001:470:142::17]:50764) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1s4La3-00080K-W6 for submit@debbugs.gnu.org; Tue, 07 May 2024 10:14:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s4LZZ-0006wT-0x; Tue, 07 May 2024 10:13:37 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1s4LZX-0002nB-Rz; Tue, 07 May 2024 10:13:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=kF2LEghWnj69MIrnkn0ddSVDTJKZeS/EUGdaWDvVRGM=; b=iu4aXB685XdR/b LU6aja2fEGT4L+lNcuvCuw/G2GDoUZcSepcrngEzKuvEgIoSTz/OEtbxKuImC8qPl0/qtqwHflQrd 8wYt3+NhL0FgqRuGeagnpRHPX3PljMYsp1QDfaVwjf19mhX9H6lJ+u0EWs0SaAA8fWDeL1ZEZ7VQD 5BQKfzo9QgkqjhuTlVIRDtea5VKBjAdP1Wkk9CVnMI0XYObYLc+4bzwPya4qsznn5+MbtvD3Dm8xV ge/iETsyRbR+HW+Pue1sWeM/xcxWhU8WzfYmFinpjl94qSXL3bWQ5JNMInAIeWunQy0ByRu70jIsg f1KHfEg2c4PrR8bjpjmA==; From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: guix-patches@gnu.org Subject: [PATCH] =?UTF-8?q?maint:=20Suggest=20=E2=80=98guix=20git=20authen?= =?UTF-8?q?ticate=E2=80=99=20for=20initial=20authentication.?= Date: Tue, 7 May 2024 16:13:27 +0200 Message-ID: <35c1e4eead584b9e24d3efc3638d6da4fd24cf8d.1715091056.git.ludo@gnu.org> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Debbugs-Cc: Florian Pelz , Ludovic Courtès Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= , guix-security@gnu.org, Skyler Ferris X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) The previous recommendation, running ‘make authenticate’, was insecure because it led users to run code from the very repository they want to authenticate: https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00252.html * Makefile.am (commit_v1_0_0, channel_intro_commit) (channel_intro_signer, GUIX_GIT_KEYRING, authenticate): Remove. * Makefile.am (.git/hooks/%): New target, generalization of previous ‘.git/hooks/pre-push’ target. (nodist_noinst_DATA): Add ‘.git/hooks/post-merge’. * doc/contributing.texi (Building from Git): Suggest ‘guix git authenticate’ instead of ‘make authenticate’. * etc/git/post-merge: New file. * etc/git/pre-push: Run ‘guix git authenticate’ instead of ‘make authenticate’. Reported-by: Skyler Ferris Change-Id: Ia415aa8375013d0dd095e891116f6ce841d93efd --- Makefile.am | 30 +++++++++--------------------- doc/contributing.texi | 29 ++++++++++++++++++++++------- etc/git/post-merge | 3 +++ etc/git/pre-push | 4 +++- 4 files changed, 37 insertions(+), 29 deletions(-) create mode 100755 etc/git/post-merge Hello there! This addresses the security issue Skyler reported regarding ‘make authenticate’, basically removing the makefile target and adjusting documentation accordingly. It also adds a ‘post-merge’ hook like ‘guix git authenticate’ now does. This assumes users have a (very) recent ‘guix git authenticate’ command, but I think that’s acceptable because this targets an audience of developers. Thoughts? Ludo’. diff --git a/Makefile.am b/Makefile.am index 77c05ff63b7..d1d953b8923 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2012-2023 Ludovic Courtès +# Copyright © 2012-2024 Ludovic Courtès # Copyright © 2013 Andreas Enge # Copyright © 2015, 2017 Alex Kost # Copyright © 2016, 2018 Mathieu Lirzin @@ -895,22 +895,6 @@ $(guix_install_go_files): install-nobase_dist_guilemoduleDATA install-data-hook: touch "$(DESTDIR)$(guileobjectdir)/guix/config.go" -# Commit corresponding to the 'v1.0.0' tag. -commit_v1_0_0 = 6298c3ffd9654d3231a6f25390b056483e8f407c - -# Introduction of the 'guix' channel. Keep in sync with (guix channels)! -channel_intro_commit = 9edb3f66fd807b096b48283debdcddccfea34bad -channel_intro_signer = BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA - -# Authenticate the current Git checkout by checking signatures on every commit. -GUIX_GIT_KEYRING = origin/keyring -authenticate: - $(AM_V_at)echo "Authenticating Git checkout..." ; \ - guix git authenticate \ - --keyring=$(GUIX_GIT_KEYRING) \ - --cache-key=channels/guix --stats \ - "$(channel_intro_commit)" "$(channel_intro_signer)" - # Assuming Guix is already installed and the daemon is up and running, this # rule builds from $(srcdir), creating and building derivations. as-derivation: @@ -1227,13 +1211,13 @@ cuirass-jobs: $(GOBJECTS) .PHONY: gen-ChangeLog gen-AUTHORS gen-tarball-version .PHONY: assert-no-store-file-names assert-binaries-available .PHONY: assert-final-inputs-self-contained check-channel-news -.PHONY: clean-go make-go as-derivation authenticate +.PHONY: clean-go make-go as-derivation .PHONY: update-guix-package update-NEWS cuirass-jobs release # Git auto-configuration. -.git/hooks/pre-push: etc/git/pre-push +.git/hooks/%: etc/git/% $(AM_V_at)if test -d .git; then \ - cp etc/git/pre-push .git/hooks/pre-push; \ + cp "$<" "$@"; \ fi .git/config: etc/git/gitconfig @@ -1256,7 +1240,11 @@ COMMIT_MSG_MAGIC = VGhpcyBpcyB0aGUgY29tbWl0LW1zZyBob29rIG9mIEd1aXg= # from a tarball. Do not add dependencies on these to *_DATA when building # from a tarball, as that breaks the build. if in_git_p -nodist_noinst_DATA = .git/hooks/pre-push .git/config .git/hooks/commit-msg +nodist_noinst_DATA = \ + .git/hooks/pre-push \ + .git/hooks/post-merge \ + .git/config \ + .git/hooks/commit-msg endif # Downloading up-to-date PO files. diff --git a/doc/contributing.texi b/doc/contributing.texi index 66f4e86d0a9..0005c846dc1 100644 --- a/doc/contributing.texi +++ b/doc/contributing.texi @@ -276,25 +276,40 @@ Building from Git checkout by running: @example -make authenticate +guix git authenticate \ + 9edb3f66fd807b096b48283debdcddccfea34bad \ + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA" @end example The first run takes a couple of minutes, but subsequent runs are faster. +On subsequent runs, you can run the command without any arguments since +the @dfn{introduction} (the commit ID and OpenPGP fingerprints above) +will have been recorded@footnote{This requires a recent version of Guix, +from May 2024 or more recent.}: -Or, when your configuration for your local Git repository doesn't match +@example +guix git authenticate +@end example + +When your configuration for your local Git repository doesn't match the default one, you can provide the reference for the @code{keyring} -branch through the variable @code{GUIX_GIT_KEYRING}. The following +branch @i{via} the @option{-k} option. The following example assumes that you have a Git remote called @samp{myremote} pointing to the official repository: @example -make authenticate GUIX_GIT_KEYRING=myremote/keyring +guix git authenticate \ + -k myremote/keyring \ + 9edb3f66fd807b096b48283debdcddccfea34bad \ + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA" @end example +@xref{Invoking guix git authenticate}, for more information on this +command. + @quotation Note -You are advised to run @command{make authenticate} after every -@command{git pull} invocation. This ensures you keep receiving valid -changes to the repository. +By default, hooks installed such that @command{guix git authenticate} is +invoked anytime you run @command{git pull} or @command{git push}. @end quotation After updating the repository, @command{make} might fail with an error diff --git a/etc/git/post-merge b/etc/git/post-merge new file mode 100755 index 00000000000..f2ad37d35c4 --- /dev/null +++ b/etc/git/post-merge @@ -0,0 +1,3 @@ +#!/bin/sh +# Authenticate the repo upon 'git pull' and similar. +exec guix git authenticate diff --git a/etc/git/pre-push b/etc/git/pre-push index 59671b0d583..325b23854bb 100755 --- a/etc/git/pre-push +++ b/etc/git/pre-push @@ -32,7 +32,9 @@ do # Only use the hook when pushing to Savannah. case "$2" in *.gnu.org*) - exec make authenticate check-channel-news + set -e + make check-channel-news + exec guix git authenticate exit 127 ;; *) base-commit: 014875b29e68da6357a5323e6dd1eaa74a05b753 -- 2.41.0 ------------=_1716647103-4272-1--