Received: (at submit) by debbugs.gnu.org; 7 May 2024 14:14:13 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 07 10:14:13 2024 Received: from localhost ([127.0.0.1]:42915 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1s4La8-00080R-VZ for submit <at> debbugs.gnu.org; Tue, 07 May 2024 10:14:13 -0400 Received: from lists.gnu.org ([2001:470:142::17]:50764) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1s4La3-00080K-W6 for submit <at> debbugs.gnu.org; Tue, 07 May 2024 10:14:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1s4LZZ-0006wT-0x; Tue, 07 May 2024 10:13:37 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1s4LZX-0002nB-Rz; Tue, 07 May 2024 10:13:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=kF2LEghWnj69MIrnkn0ddSVDTJKZeS/EUGdaWDvVRGM=; b=iu4aXB685XdR/b LU6aja2fEGT4L+lNcuvCuw/G2GDoUZcSepcrngEzKuvEgIoSTz/OEtbxKuImC8qPl0/qtqwHflQrd 8wYt3+NhL0FgqRuGeagnpRHPX3PljMYsp1QDfaVwjf19mhX9H6lJ+u0EWs0SaAA8fWDeL1ZEZ7VQD 5BQKfzo9QgkqjhuTlVIRDtea5VKBjAdP1Wkk9CVnMI0XYObYLc+4bzwPya4qsznn5+MbtvD3Dm8xV ge/iETsyRbR+HW+Pue1sWeM/xcxWhU8WzfYmFinpjl94qSXL3bWQ5JNMInAIeWunQy0ByRu70jIsg f1KHfEg2c4PrR8bjpjmA==; From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN> To: guix-patches@HIDDEN Subject: [PATCH] =?UTF-8?q?maint:=20Suggest=20=E2=80=98guix=20git=20authen?= =?UTF-8?q?ticate=E2=80=99=20for=20initial=20authentication.?= Date: Tue, 7 May 2024 16:13:27 +0200 Message-ID: <35c1e4eead584b9e24d3efc3638d6da4fd24cf8d.1715091056.git.ludo@HIDDEN> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Debbugs-Cc: Florian Pelz <pelzflorian@HIDDEN>, Ludovic Courtès <ludo@HIDDEN> Content-Transfer-Encoding: 8bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>, guix-security@HIDDEN, Skyler Ferris <skyvine@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) The previous recommendation, running ‘make authenticate’, was insecure because it led users to run code from the very repository they want to authenticate: https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00252.html * Makefile.am (commit_v1_0_0, channel_intro_commit) (channel_intro_signer, GUIX_GIT_KEYRING, authenticate): Remove. * Makefile.am (.git/hooks/%): New target, generalization of previous ‘.git/hooks/pre-push’ target. (nodist_noinst_DATA): Add ‘.git/hooks/post-merge’. * doc/contributing.texi (Building from Git): Suggest ‘guix git authenticate’ instead of ‘make authenticate’. * etc/git/post-merge: New file. * etc/git/pre-push: Run ‘guix git authenticate’ instead of ‘make authenticate’. Reported-by: Skyler Ferris <skyvine@HIDDEN> Change-Id: Ia415aa8375013d0dd095e891116f6ce841d93efd --- Makefile.am | 30 +++++++++--------------------- doc/contributing.texi | 29 ++++++++++++++++++++++------- etc/git/post-merge | 3 +++ etc/git/pre-push | 4 +++- 4 files changed, 37 insertions(+), 29 deletions(-) create mode 100755 etc/git/post-merge Hello there! This addresses the security issue Skyler reported regarding ‘make authenticate’, basically removing the makefile target and adjusting documentation accordingly. It also adds a ‘post-merge’ hook like ‘guix git authenticate’ now does. This assumes users have a (very) recent ‘guix git authenticate’ command, but I think that’s acceptable because this targets an audience of developers. Thoughts? Ludo’. diff --git a/Makefile.am b/Makefile.am index 77c05ff63b7..d1d953b8923 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2012-2023 Ludovic Courtès <ludo@HIDDEN> +# Copyright © 2012-2024 Ludovic Courtès <ludo@HIDDEN> # Copyright © 2013 Andreas Enge <andreas@HIDDEN> # Copyright © 2015, 2017 Alex Kost <alezost@HIDDEN> # Copyright © 2016, 2018 Mathieu Lirzin <mthl@HIDDEN> @@ -895,22 +895,6 @@ $(guix_install_go_files): install-nobase_dist_guilemoduleDATA install-data-hook: touch "$(DESTDIR)$(guileobjectdir)/guix/config.go" -# Commit corresponding to the 'v1.0.0' tag. -commit_v1_0_0 = 6298c3ffd9654d3231a6f25390b056483e8f407c - -# Introduction of the 'guix' channel. Keep in sync with (guix channels)! -channel_intro_commit = 9edb3f66fd807b096b48283debdcddccfea34bad -channel_intro_signer = BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA - -# Authenticate the current Git checkout by checking signatures on every commit. -GUIX_GIT_KEYRING = origin/keyring -authenticate: - $(AM_V_at)echo "Authenticating Git checkout..." ; \ - guix git authenticate \ - --keyring=$(GUIX_GIT_KEYRING) \ - --cache-key=channels/guix --stats \ - "$(channel_intro_commit)" "$(channel_intro_signer)" - # Assuming Guix is already installed and the daemon is up and running, this # rule builds from $(srcdir), creating and building derivations. as-derivation: @@ -1227,13 +1211,13 @@ cuirass-jobs: $(GOBJECTS) .PHONY: gen-ChangeLog gen-AUTHORS gen-tarball-version .PHONY: assert-no-store-file-names assert-binaries-available .PHONY: assert-final-inputs-self-contained check-channel-news -.PHONY: clean-go make-go as-derivation authenticate +.PHONY: clean-go make-go as-derivation .PHONY: update-guix-package update-NEWS cuirass-jobs release # Git auto-configuration. -.git/hooks/pre-push: etc/git/pre-push +.git/hooks/%: etc/git/% $(AM_V_at)if test -d .git; then \ - cp etc/git/pre-push .git/hooks/pre-push; \ + cp "$<" "$@"; \ fi .git/config: etc/git/gitconfig @@ -1256,7 +1240,11 @@ COMMIT_MSG_MAGIC = VGhpcyBpcyB0aGUgY29tbWl0LW1zZyBob29rIG9mIEd1aXg= # from a tarball. Do not add dependencies on these to *_DATA when building # from a tarball, as that breaks the build. if in_git_p -nodist_noinst_DATA = .git/hooks/pre-push .git/config .git/hooks/commit-msg +nodist_noinst_DATA = \ + .git/hooks/pre-push \ + .git/hooks/post-merge \ + .git/config \ + .git/hooks/commit-msg endif # Downloading up-to-date PO files. diff --git a/doc/contributing.texi b/doc/contributing.texi index 66f4e86d0a9..0005c846dc1 100644 --- a/doc/contributing.texi +++ b/doc/contributing.texi @@ -276,25 +276,40 @@ Building from Git checkout by running: @example -make authenticate +guix git authenticate \ + 9edb3f66fd807b096b48283debdcddccfea34bad \ + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA" @end example The first run takes a couple of minutes, but subsequent runs are faster. +On subsequent runs, you can run the command without any arguments since +the @dfn{introduction} (the commit ID and OpenPGP fingerprints above) +will have been recorded@footnote{This requires a recent version of Guix, +from May 2024 or more recent.}: -Or, when your configuration for your local Git repository doesn't match +@example +guix git authenticate +@end example + +When your configuration for your local Git repository doesn't match the default one, you can provide the reference for the @code{keyring} -branch through the variable @code{GUIX_GIT_KEYRING}. The following +branch @i{via} the @option{-k} option. The following example assumes that you have a Git remote called @samp{myremote} pointing to the official repository: @example -make authenticate GUIX_GIT_KEYRING=myremote/keyring +guix git authenticate \ + -k myremote/keyring \ + 9edb3f66fd807b096b48283debdcddccfea34bad \ + "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA" @end example +@xref{Invoking guix git authenticate}, for more information on this +command. + @quotation Note -You are advised to run @command{make authenticate} after every -@command{git pull} invocation. This ensures you keep receiving valid -changes to the repository. +By default, hooks installed such that @command{guix git authenticate} is +invoked anytime you run @command{git pull} or @command{git push}. @end quotation After updating the repository, @command{make} might fail with an error diff --git a/etc/git/post-merge b/etc/git/post-merge new file mode 100755 index 00000000000..f2ad37d35c4 --- /dev/null +++ b/etc/git/post-merge @@ -0,0 +1,3 @@ +#!/bin/sh +# Authenticate the repo upon 'git pull' and similar. +exec guix git authenticate diff --git a/etc/git/pre-push b/etc/git/pre-push index 59671b0d583..325b23854bb 100755 --- a/etc/git/pre-push +++ b/etc/git/pre-push @@ -32,7 +32,9 @@ do # Only use the hook when pushing to Savannah. case "$2" in *.gnu.org*) - exec make authenticate check-channel-news + set -e + make check-channel-news + exec guix git authenticate exit 127 ;; *) base-commit: 014875b29e68da6357a5323e6dd1eaa74a05b753 -- 2.41.0
Ludovic Courtès <ludo@HIDDEN>
:pelzflorian@HIDDEN, ludo@HIDDEN, guix-patches@HIDDEN
.
Full text available.pelzflorian@HIDDEN, ludo@HIDDEN, guix-patches@HIDDEN
:bug#70818
; Package guix-patches
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.