[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#22883: Trustable "guix pull"
|
From: |
Vagrant Cascadian |
|
Subject: |
bug#22883: Trustable "guix pull" |
|
Date: |
Tue, 28 Aug 2018 12:56:02 -0700 |
This isn't exactly pretty, and obviously a better long-term solution is
needed, but I wrote a quick shell script to at least partially addresses
some my biggest fears with guix pull...
Basically, it updates a git checkout, checks the signatures on the
commits, looking for the topmost signed commit by a key in a specific
keyring, and then runs guix pull with that commit.
It relies on a custom gpg directory and assumes any of the keys in the
keyring are valid potential signers of the commits; the web of trust is
essentially ignored.
I really don't like having a custom GNUPGHOME, but I didn't see any
other obvious way to pass arguments to git to use a custom keyring. I
populated this GNUPGHOME with keys from:
https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1
And then ran gpg --refresh-keys on it, as several keys were
outdated/expired.
(an alternative approach to populate the keyring might be:
https://gitlab.com/Efraim/guix-keyring)
It also assumes a git checkout where "git pull" pulls from the correct
repository.
It assumes guix --version returns a valid git hash, so would require
some more tweaks to get it working from a fresh guix install.
All those caveats aside, it seems to work well enough for me, and
writing this email took longer than writing the script. :)
live well,
vagrant
#!/bin/sh
set -x
set -e
workdir=/home/vagrant/src/guix
export GNUPGHOME=$workdir/verified-pull/gnupg
cd $workdir
git pull
guixversion=$(guix --version | awk '/^guix/{print $4}')
commits=$(git log ${guixversion}.. --pretty='format:%G?,%H')
# · %G?: show
# "G" for a good (valid) signature,
# "B" for a bad · %signature,
# "U" for a good signature with unknown validity,
# "X" for a good · %signature that has expired,
# "Y" for a good signature made by an expired · %key,
# "R" for a good signature made by a revoked key,
# "E" if the · %signature cannot be checked (e.g. missing key) and
# "N" for no signature
for commitlog in $commits ; do
commitverify=$(echo $commitlog | cut -d , -f 1)
commit=$(echo $commitlog | cut -d , -f 2)
case $commitverify in
G|U) git verify-commit $commit && \
guix pull --url=file://$workdir --commit=$commit && \
exit 0 ;;
esac
done
echo unable to find signed commit
exit 1
signature.asc
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#22883: Trustable "guix pull",
Vagrant Cascadian <=