Signing patches needs a bit more documentation [answers inside]


#1

I created an account on nest.pijul.com, built pijul from source (version pijul-next), figured out how to get SSH auth working, then ran these pijul commands:

$ pijul keys --generate-signing
$ pijul keys --upload-to boxofrox@nest.pijul.com

Everything seems to be working. Let’s try signing something.

I just pushed a patch to nest before I uploaded my signing key, so let’s unrecord and re-record it.

$ pijul unrecord
Hash: 8tRMkGGk39xQ9Cf6vJnLNpzHiTu4WbRRotAB9fdCfcWpP6m7WTjbVBoqz3xesrpn5DoRwh2ZUohvtnUYkWbpe6nf
Internal id: QAFZaunwX1Q
Authors: ["Justin Charette <charetjc@gmail.com>"]
Timestamp: 2017-11-22 20:00:18.677536420 UTC

    Improve editor support.


   The editor config option can include CLI parameters to support gvim via "gvim -f".
Use process:Command::status() to run editor with parent stdin/stdout to support vim and nano.

Shall I unrecord this patch? [ynkad] y
Hash: 9NJRGRcuNb4MZcGY8JATAAAo81ntxAC4dXJxrK56fd7qbeyE4R6tjjikLiQKuv3LtSm2SQp8oMffvobBFjAaszaf
Internal id: UBVsxpFktwa
Authors: ["Florent Becker <florent.becker@ens-lyon.org>"]
Timestamp: 2017-11-22 13:48:03.390493572 UTC

    Tests: use grep rather than bash regexps for matching command outputs

Shall I unrecord this patch? [ynkad] d
$ pijul record
In file "/home/charetjc/files/development/rust/crates/pijul/pijul/src/commands/ask.rs"

-         let _output = process::Command::new(editor)
-             .args(vec![patch_name_file.clone()])
-             .current_dir(repo_root)
-             .output()?;
+         let editor_cmd = editor.split(" ").to_owned().collect::<Vec<_>>();
+         let _exit_status = if 1 == editor_cmd.len() {
+             process::Command::new(&editor_cmd[0])
+                 .arg(patch_name_file.clone())
+                 .current_dir(repo_root)
+                 .status()?
+         } else {
+             process::Command::new(&editor_cmd[0])
+                 .args(&editor_cmd[1..])
+                 .arg(patch_name_file.clone())
+                 .current_dir(repo_root)
+                 .status()?
+         };

Shall I record this change? (1/1) [ynkad] y


Recorded patch 75hFzrsPDLgtLRR9FZSUmWnNtHoHAcnxmcsifNssV8LX6bqrBdnog3RXcUFqjSVjxSCjqkUJuahWuzwMZiG1k53p

Great, let’s check the patch on nest and see if it’s signed now.

Yep… and nope. I signed it, but I didn’t sign it. All documentation I found led me to this point.

The last step is to make sure your profile email address matches the email address used to author the patch.

I don’t quite understand why the email is necessary. The pijul docs point out that one cannot simply walk into mordor nest.pijul.com and throw paste the one ring any public signing key they please into Mount Doom onto their profile, because security. So the only way my signing pubkey is even associated with my nest account is because I authenticated with my SSH key when I ran pijul keys --upload-to.... If the pubkey from my boxofrox account validates the signature, then boxofrox must be charetjc at gmail.com, yes? If I happen use a private email for nest account notifications and a public email for my patches, then signing patches is off the table, or vice versa.

Perhaps this is necessary in case I try to impersonate someone else…? Given I can change my author name to pmeunier at pijul.org and update my profile email address to match and generate patches that are signed :white_check_mark: by boxofrox, this doesn’t seem like a thorough reason.

And did unrecording not unrecord the patch from nest.pijul.com? How do I fix that? :sob: Hint: there’s an unrecord button I must click on nest.pijul.com to unrecord the old patch from the remote repo.

As always, I waste hours trying to figure these details out on my own, then after writing a plea for help, I realize or stumble upon the answer, or most of it at least. I’m just gonna leave this here to help out anyone else following in my bumbling footsteps.

Seriously, why do the emails have to match?