bug#22883: Trustable "guix pull"

[Werner Koch]

Hi,

Ludo' asked us to send some comments on how to verify git commits.  I
only had time to quickly browse the mail thread.

I would indeed suggest to use gpgv (or gpgv2, but I hope Guix has alread
moved to name gpg2 gpg) because we once wrote it for Debian.  It has the
simplest semantics and thus best fits your purpose.  We use it in GnuPG
itself for the speedo build system; it is sufficent to run this simple
script:

--8<---------------cut here---------------start------------->8---
  if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
    echo "list of software versions is not valid!" >&2
    exit 1
  fi
--8<---------------cut here---------------end--------------->8---

In all other context I would suggest the use of GPGME to verify
signatures, because GPGME also evaluates the trust and all the status
line gpg spits out.

There are no issues with l10n because _all_ scripts SHOULD use gpg with
the options --status-fd and --with-colons.  That output creates a well
defined API and we try very hard never to break it.

Mike Gerwitz's article is a bit long read right now.  I have never
looked into git to check whether git correctly calls gpg to verify
signatures.  That should eventually be done.  And yes, please sign your
commits (I use an Ed25519 key stored on a Gnuk token; which works very
well).


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
    /* EFH in Erkrath: https://alt-hochdahl.de/haus */

pgpnxKGZ7FKRp.pgp
Description: PGP signature