maint: Suggest ‘guix git authenticate’ for initial authentication.
The previous recommendation, running ‘make authenticate’, was insecure because it led users to run code from the very repository they want to authenticate: https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00252.html * Makefile.am (commit_v1_0_0, channel_intro_commit) (channel_intro_signer, GUIX_GIT_KEYRING, authenticate): Remove. * Makefile.am (.git/hooks/%): New target, generalization of previous ‘.git/hooks/pre-push’ target. (nodist_noinst_DATA): Add ‘.git/hooks/post-merge’. * doc/contributing.texi (Building from Git): Suggest ‘guix git authenticate’ instead of ‘make authenticate’. * etc/git/post-merge: New file. * etc/git/pre-push: Run ‘guix git authenticate’ instead of ‘make authenticate’. Reviewed-by: Maxim Cournoyer <maxim.cournoyer@gmail.com> Reported-by: Skyler Ferris <skyvine@protonmail.com> Change-Id: Ia415aa8375013d0dd095e891116f6ce841d93efdmaster
parent
0efa1daad3
commit
73b3f941d7
30
Makefile.am
30
Makefile.am
|
@ -1,5 +1,5 @@
|
||||||
# GNU Guix --- Functional package management for GNU
|
# GNU Guix --- Functional package management for GNU
|
||||||
# Copyright © 2012-2023 Ludovic Courtès <ludo@gnu.org>
|
# Copyright © 2012-2024 Ludovic Courtès <ludo@gnu.org>
|
||||||
# Copyright © 2013 Andreas Enge <andreas@enge.fr>
|
# Copyright © 2013 Andreas Enge <andreas@enge.fr>
|
||||||
# Copyright © 2015, 2017 Alex Kost <alezost@gmail.com>
|
# Copyright © 2015, 2017 Alex Kost <alezost@gmail.com>
|
||||||
# Copyright © 2016, 2018 Mathieu Lirzin <mthl@gnu.org>
|
# Copyright © 2016, 2018 Mathieu Lirzin <mthl@gnu.org>
|
||||||
|
@ -899,22 +899,6 @@ $(guix_install_go_files): install-nobase_dist_guilemoduleDATA
|
||||||
install-data-hook:
|
install-data-hook:
|
||||||
touch "$(DESTDIR)$(guileobjectdir)/guix/config.go"
|
touch "$(DESTDIR)$(guileobjectdir)/guix/config.go"
|
||||||
|
|
||||||
# Commit corresponding to the 'v1.0.0' tag.
|
|
||||||
commit_v1_0_0 = 6298c3ffd9654d3231a6f25390b056483e8f407c
|
|
||||||
|
|
||||||
# Introduction of the 'guix' channel. Keep in sync with (guix channels)!
|
|
||||||
channel_intro_commit = 9edb3f66fd807b096b48283debdcddccfea34bad
|
|
||||||
channel_intro_signer = BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA
|
|
||||||
|
|
||||||
# Authenticate the current Git checkout by checking signatures on every commit.
|
|
||||||
GUIX_GIT_KEYRING = origin/keyring
|
|
||||||
authenticate:
|
|
||||||
$(AM_V_at)echo "Authenticating Git checkout..." ; \
|
|
||||||
guix git authenticate \
|
|
||||||
--keyring=$(GUIX_GIT_KEYRING) \
|
|
||||||
--cache-key=channels/guix --stats \
|
|
||||||
"$(channel_intro_commit)" "$(channel_intro_signer)"
|
|
||||||
|
|
||||||
# Assuming Guix is already installed and the daemon is up and running, this
|
# Assuming Guix is already installed and the daemon is up and running, this
|
||||||
# rule builds from $(srcdir), creating and building derivations.
|
# rule builds from $(srcdir), creating and building derivations.
|
||||||
as-derivation:
|
as-derivation:
|
||||||
|
@ -1231,13 +1215,13 @@ cuirass-jobs: $(GOBJECTS)
|
||||||
.PHONY: gen-ChangeLog gen-AUTHORS gen-tarball-version
|
.PHONY: gen-ChangeLog gen-AUTHORS gen-tarball-version
|
||||||
.PHONY: assert-no-store-file-names assert-binaries-available
|
.PHONY: assert-no-store-file-names assert-binaries-available
|
||||||
.PHONY: assert-final-inputs-self-contained check-channel-news
|
.PHONY: assert-final-inputs-self-contained check-channel-news
|
||||||
.PHONY: clean-go make-go as-derivation authenticate
|
.PHONY: clean-go make-go as-derivation
|
||||||
.PHONY: update-guix-package update-NEWS cuirass-jobs release
|
.PHONY: update-guix-package update-NEWS cuirass-jobs release
|
||||||
|
|
||||||
# Git auto-configuration.
|
# Git auto-configuration.
|
||||||
.git/hooks/pre-push: etc/git/pre-push
|
.git/hooks/%: etc/git/%
|
||||||
$(AM_V_at)if test -d .git; then \
|
$(AM_V_at)if test -d .git; then \
|
||||||
cp etc/git/pre-push .git/hooks/pre-push; \
|
cp "$<" "$@"; \
|
||||||
fi
|
fi
|
||||||
|
|
||||||
.git/config: etc/git/gitconfig
|
.git/config: etc/git/gitconfig
|
||||||
|
@ -1260,7 +1244,11 @@ COMMIT_MSG_MAGIC = VGhpcyBpcyB0aGUgY29tbWl0LW1zZyBob29rIG9mIEd1aXg=
|
||||||
# from a tarball. Do not add dependencies on these to *_DATA when building
|
# from a tarball. Do not add dependencies on these to *_DATA when building
|
||||||
# from a tarball, as that breaks the build.
|
# from a tarball, as that breaks the build.
|
||||||
if in_git_p
|
if in_git_p
|
||||||
nodist_noinst_DATA = .git/hooks/pre-push .git/config .git/hooks/commit-msg
|
nodist_noinst_DATA = \
|
||||||
|
.git/hooks/pre-push \
|
||||||
|
.git/hooks/post-merge \
|
||||||
|
.git/config \
|
||||||
|
.git/hooks/commit-msg
|
||||||
endif
|
endif
|
||||||
|
|
||||||
# Downloading up-to-date PO files.
|
# Downloading up-to-date PO files.
|
||||||
|
|
|
@ -276,25 +276,41 @@ From there on, you can authenticate all the commits included in your
|
||||||
checkout by running:
|
checkout by running:
|
||||||
|
|
||||||
@example
|
@example
|
||||||
make authenticate
|
guix git authenticate \
|
||||||
|
9edb3f66fd807b096b48283debdcddccfea34bad \
|
||||||
|
"BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA"
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
The first run takes a couple of minutes, but subsequent runs are faster.
|
The first run takes a couple of minutes, but subsequent runs are faster.
|
||||||
|
On subsequent runs, you can run the command without any arguments since
|
||||||
|
the @dfn{introduction} (the commit ID and OpenPGP fingerprints above)
|
||||||
|
will have been recorded@footnote{This requires a recent version of Guix,
|
||||||
|
from May 2024 or more recent.}:
|
||||||
|
|
||||||
Or, when your configuration for your local Git repository doesn't match
|
@example
|
||||||
|
guix git authenticate
|
||||||
|
@end example
|
||||||
|
|
||||||
|
When your configuration for your local Git repository doesn't match
|
||||||
the default one, you can provide the reference for the @code{keyring}
|
the default one, you can provide the reference for the @code{keyring}
|
||||||
branch through the variable @code{GUIX_GIT_KEYRING}. The following
|
branch @i{via} the @option{-k} option. The following
|
||||||
example assumes that you have a Git remote called @samp{myremote}
|
example assumes that you have a Git remote called @samp{myremote}
|
||||||
pointing to the official repository:
|
pointing to the official repository:
|
||||||
|
|
||||||
@example
|
@example
|
||||||
make authenticate GUIX_GIT_KEYRING=myremote/keyring
|
guix git authenticate \
|
||||||
|
-k myremote/keyring \
|
||||||
|
9edb3f66fd807b096b48283debdcddccfea34bad \
|
||||||
|
"BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA"
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
|
@xref{Invoking guix git authenticate}, for more information on this
|
||||||
|
command.
|
||||||
|
|
||||||
@quotation Note
|
@quotation Note
|
||||||
You are advised to run @command{make authenticate} after every
|
By default, hooks are installed such that @command{guix git
|
||||||
@command{git pull} invocation. This ensures you keep receiving valid
|
authenticate} is invoked anytime you run @command{git pull} or
|
||||||
changes to the repository.
|
@command{git push}.
|
||||||
@end quotation
|
@end quotation
|
||||||
|
|
||||||
After updating the repository, @command{make} might fail with an error
|
After updating the repository, @command{make} might fail with an error
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# Authenticate the repo upon 'git pull' and similar.
|
||||||
|
exec guix git authenticate
|
|
@ -32,7 +32,9 @@ do
|
||||||
# Only use the hook when pushing to Savannah.
|
# Only use the hook when pushing to Savannah.
|
||||||
case "$2" in
|
case "$2" in
|
||||||
*.gnu.org*)
|
*.gnu.org*)
|
||||||
exec make authenticate check-channel-news
|
set -e
|
||||||
|
make check-channel-news
|
||||||
|
exec guix git authenticate
|
||||||
exit 127
|
exit 127
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
|
Reference in New Issue