Previously one would need to have a worktree for the local 'keyring'
branch.
Reported by reepca and bricewge on #guix.
* build-aux/git-authenticate.scm (load-keyring-from-reference): Use
'branch-lookup' instead of 'reference-lookup'. Add "origin/" to
REFERENCE.
(authenticate-commits): Have #:keyring-reference default to "keyring".
* build-aux/git-authenticate.scm (load-keyring-from-blob)
(load-keyring-from-reference): New procedures.
(authenticate-commits): Add #:keyring-reference and use
'load-keyring-from-reference'.
* build-aux/git-authenticate.scm (read-authorizations)
(commit-authorized-keys): New procedures.
(authenticate-commit): Use it instead of %AUTHORIZED-SIGNING-KEYS.
It can now authenticate 14K+ commits in 23s instead of 4mn20.
* build-aux/git-authenticate.scm (%authorized-signing-keys): Turn
fingerprints into bytevectors.
(with-temporary-files): Remove.
(commit-signing-key): Add 'keyring' parameter. Use
'string->openpgp-packet' and 'verify-openpgp-signature' instead of (guix
gnupg) procedures.
(authenticate-commit): Add 'keyring' parameter. Pass it to
'commit-signing-key'. Adjust to SIGNING-KEY being an <openpgp-public-key>.
(authenticate-commits): Remove 'parameterize'. Load keyring with
'get-openpgp-keyring'.
(git-authenticate): When printing stats, adjust to SIGNER being an
<openpgp-public-key>.
I (nckx) have revoked all RSA subkeys, in favour of my older and
freshly-refreshed ECDSA ones. This was merely a precaution: to my
knowledge all my RSA private keys have been carefully destroyed and
were never compromised. This commit keeps ‘make authenticate’ happy.
* guix/gnupg.scm (revkeysig-rx): New variable for revoked keys.
(gnupg-verify): Parse it.
(gnupg-status-good-signature?): Accept it as ‘good’ for our purposes.
* build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This is a followup to commit 7dc0f1d5a8,
signed with sub-key "3D2C DA58 819C 08C2 A649 D43D 5C3B 064C 724A 5726".
* build-aux/git-authenticate.scm (%committers): Provide fingerprint of
subkey for thomasd.
A list of already-authenticated commits is kept in
~/.cache/guix/authentication. This speeds up subsequent "make
authenticate" invocations.
* build-aux/git-authenticate.scm (authenticated-commit-cache-file)
(previously-authenticated-commits, cache-authenticated-commit): New
procedures.
(git-authenticate): Define 'authenticated-commits' and pass it as a
third argument to 'commit-difference'. Add call to
'cache-authenticated-commit'. Don't display signing stats when STATS is
null.