guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Archive authentication & ‘guix challenge’

From: Ludovic Courtès
Subject: Archive authentication & ‘guix challenge’
Date: Thu, 09 Feb 2017 17:36:25 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) 
Hi!

myglc2 <address@hidden> skribis:

> Hi Ludo, I have a couple questions. I autorized bayfront like so ...
>
> address@hidden ~/src$ cat bayfront.guixsd.org.pub
>  (public-key 
>   (ecc 
>    (curve Ed25519)
>    (q #8D156F295D24B0D9A86FA5741A840FF2D24F60F7B6C4134814AD55625971B394#)))
>
> address@hidden ~/src$ sudo guix archive --authorize < bayfront.guixsd.org.pub
>
> ... and I read this ...
>
> 3.7 Invoking ‘guix archive’
> ===========================
> [...]
>      The list of authorized keys is kept in the human-editable file
>      ‘/etc/guix/acl’.  The file contains “advanced-format s-expressions”
>      (http://people.csail.mit.edu/rivest/Sexp.txt) and is structured as
>      an access-control list in the Simple Public-Key Infrastructure
>      (SPKI) (http://theworld.com/~cme/spki.txt).
>
> ... so I expected to find the bayfront key here ...

[...]

> ... but no. Where did it go?

Could it be that the ‘guix archive’ you ran uses a configuration
directory other than this one?  What does:

  guile -c '(use-modules (guix config)) (pk %config-directory)'

print?

> Also you recommended ...
>
>>   guix challenge gdk-pixbuf \
>>     --substitute-urls="https://mirror.hydra.gnu.org 
>> https://bayfront.guixsd.org";
>
> ... which I tried _before_ I had authorized bayfront. I was surprised that it
> worked before authorization. Should it?

Yes.  It is not actually importing the archives into your store, only
looking at the content hashes that the servers advertise, so there is no
risk here and no requirement to authenticate.

That said, we could add an option to restrict to authorized servers.

HTH!

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]