09/11: maint: Suggest ‘guix git authenticate’ for initial authentication.

guix-commits Sat, 25 May 2024 07:59:05 -0700

civodul pushed a commit to branch master
in repository guix.

commit 73b3f941d7d911a1b2bb2bf77d37cb3a12ed4291
Author: Ludovic Courtès <l...@gnu.org>
AuthorDate: Tue May 7 15:54:44 2024 +0200


    maint: Suggest ‘guix git authenticate’ for initial authentication.
    
    The previous recommendation, running ‘make authenticate’, was insecure
    because it led users to run code from the very repository they want to
    authenticate:
    
      https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00252.html
    
    * Makefile.am (commit_v1_0_0, channel_intro_commit)
    (channel_intro_signer, GUIX_GIT_KEYRING, authenticate): Remove.
    * Makefile.am (.git/hooks/%): New target, generalization of previous
    ‘.git/hooks/pre-push’ target.
    (nodist_noinst_DATA): Add ‘.git/hooks/post-merge’.
    * doc/contributing.texi (Building from Git): Suggest ‘guix git
    authenticate’ instead of ‘make authenticate’.
    * etc/git/post-merge: New file.
    * etc/git/pre-push: Run ‘guix git authenticate’ instead of ‘make
    authenticate’.
    
    Reviewed-by: Maxim Cournoyer <maxim.courno...@gmail.com>
    Reported-by: Skyler Ferris <skyv...@protonmail.com>
    Change-Id: Ia415aa8375013d0dd095e891116f6ce841d93efd
---
 Makefile.am           | 30 +++++++++---------------------
 doc/contributing.texi | 30 +++++++++++++++++++++++-------
 etc/git/post-merge    |  3 +++
 etc/git/pre-push      |  4 +++-
 4 files changed, 38 insertions(+), 29 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index b4a06a52b8..d0364e9dad 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,5 +1,5 @@
 # GNU Guix --- Functional package management for GNU
-# Copyright © 2012-2023 Ludovic Courtès <l...@gnu.org>
+# Copyright © 2012-2024 Ludovic Courtès <l...@gnu.org>
 # Copyright © 2013 Andreas Enge <andr...@enge.fr>
 # Copyright © 2015, 2017 Alex Kost <alez...@gmail.com>
 # Copyright © 2016, 2018 Mathieu Lirzin <m...@gnu.org>
@@ -899,22 +899,6 @@ $(guix_install_go_files): 
install-nobase_dist_guilemoduleDATA
 install-data-hook:
        touch "$(DESTDIR)$(guileobjectdir)/guix/config.go"
 
-# Commit corresponding to the 'v1.0.0' tag.
-commit_v1_0_0 = 6298c3ffd9654d3231a6f25390b056483e8f407c
-
-# Introduction of the 'guix' channel.  Keep in sync with (guix channels)!
-channel_intro_commit = 9edb3f66fd807b096b48283debdcddccfea34bad
-channel_intro_signer = BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA
-
-# Authenticate the current Git checkout by checking signatures on every commit.
-GUIX_GIT_KEYRING = origin/keyring
-authenticate:
-       $(AM_V_at)echo "Authenticating Git checkout..." ;       \
-       guix git authenticate                                   \
-           --keyring=$(GUIX_GIT_KEYRING)                       \
-           --cache-key=channels/guix --stats                   \
-           "$(channel_intro_commit)" "$(channel_intro_signer)"
-
 # Assuming Guix is already installed and the daemon is up and running, this
 # rule builds from $(srcdir), creating and building derivations.
 as-derivation:
@@ -1231,13 +1215,13 @@ cuirass-jobs: $(GOBJECTS)
 .PHONY: gen-ChangeLog gen-AUTHORS gen-tarball-version
 .PHONY: assert-no-store-file-names assert-binaries-available
 .PHONY: assert-final-inputs-self-contained check-channel-news
-.PHONY: clean-go make-go as-derivation authenticate
+.PHONY: clean-go make-go as-derivation
 .PHONY: update-guix-package update-NEWS cuirass-jobs release
 
 # Git auto-configuration.
-.git/hooks/pre-push: etc/git/pre-push
+.git/hooks/%: etc/git/%
        $(AM_V_at)if test -d .git; then \
-       cp etc/git/pre-push .git/hooks/pre-push; \
+       cp "$<" "$@"; \
        fi
 
 .git/config: etc/git/gitconfig
@@ -1260,7 +1244,11 @@ COMMIT_MSG_MAGIC = 
VGhpcyBpcyB0aGUgY29tbWl0LW1zZyBob29rIG9mIEd1aXg=
 # from a tarball.  Do not add dependencies on these to *_DATA when building
 # from a tarball, as that breaks the build.
 if in_git_p
-nodist_noinst_DATA = .git/hooks/pre-push .git/config .git/hooks/commit-msg
+nodist_noinst_DATA =                           \
+  .git/hooks/pre-push                          \
+  .git/hooks/post-merge                                \
+  .git/config                                  \
+  .git/hooks/commit-msg
 endif
 
 # Downloading up-to-date PO files.
diff --git a/doc/contributing.texi b/doc/contributing.texi
index ecff6300bf..a0d6b5304a 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -276,25 +276,41 @@ From there on, you can authenticate all the commits 
included in your
 checkout by running:
 
 @example
-make authenticate
+guix git authenticate \
+  9edb3f66fd807b096b48283debdcddccfea34bad \
+  "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA"
 @end example
 
 The first run takes a couple of minutes, but subsequent runs are faster.
+On subsequent runs, you can run the command without any arguments since
+the @dfn{introduction} (the commit ID and OpenPGP fingerprints above)
+will have been recorded@footnote{This requires a recent version of Guix,
+from May 2024 or more recent.}:
 
-Or, when your configuration for your local Git repository doesn't match
+@example
+guix git authenticate
+@end example
+
+When your configuration for your local Git repository doesn't match
 the default one, you can provide the reference for the @code{keyring}
-branch through the variable @code{GUIX_GIT_KEYRING}.  The following
+branch @i{via} the @option{-k} option.  The following
 example assumes that you have a Git remote called @samp{myremote}
 pointing to the official repository:
 
 @example
-make authenticate GUIX_GIT_KEYRING=myremote/keyring
+guix git authenticate \
+  -k myremote/keyring \
+  9edb3f66fd807b096b48283debdcddccfea34bad \
+  "BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA"
 @end example
 
+@xref{Invoking guix git authenticate}, for more information on this
+command.
+
 @quotation Note
-You are advised to run @command{make authenticate} after every
-@command{git pull} invocation.  This ensures you keep receiving valid
-changes to the repository.
+By default, hooks are installed such that @command{guix git
+authenticate} is invoked anytime you run @command{git pull} or
+@command{git push}.
 @end quotation
 
 After updating the repository, @command{make} might fail with an error
diff --git a/etc/git/post-merge b/etc/git/post-merge
new file mode 100755
index 0000000000..f2ad37d35c
--- /dev/null
+++ b/etc/git/post-merge
@@ -0,0 +1,3 @@
+#!/bin/sh
+# Authenticate the repo upon 'git pull' and similar.
+exec guix git authenticate
diff --git a/etc/git/pre-push b/etc/git/pre-push
index 59671b0d58..325b23854b 100755
--- a/etc/git/pre-push
+++ b/etc/git/pre-push
@@ -32,7 +32,9 @@ do
                # Only use the hook when pushing to Savannah.
                case "$2" in
                    *.gnu.org*)
-                       exec make authenticate check-channel-news
+                       set -e
+                       make check-channel-news
+                       exec guix git authenticate
                        exit 127
                        ;;
                    *)

09/11: maint: Suggest ‘guix git authenticate’ for initial authentication.

Reply via email to