GNU bug report logs - #25094
Add comments to archive keys and acls

Previous Next

Package: guix;

Reported by: Hartmut Goebel <h.goebel <at> crazy-compilers.com>

Date: Fri, 2 Dec 2016 17:39:01 UTC

Severity: wishlist

Full log

View this message in rfc822 format

From: Leo Famulari <leo <at> famulari.name>
To: Hartmut Goebel <h.goebel <at> crazy-compilers.com>
Cc: 25094 <at> debbugs.gnu.org
Subject: bug#25094: Add comments to archive keys and acls
Date: Fri, 2 Dec 2016 13:13:51 -0500

On Fri, Dec 02, 2016 at 06:38:12PM +0100, Hartmut Goebel wrote:
> Hi,
> 
> the keys for authenticating an archive currently do not hold any
> comment. This makes it hard to track acls and remove certain keys if
> required.

Indeed, this makes key management a little harder than it needs to be.

> Please implement some way to add and change the comment on keys in
> /etc/guix/ and in /etc/guix/acl.
> 
> Proposed usage when generating the key:
>   guix archive --generate-key=… --comment "store.example.com"
> 
> Proposed usage when importing the key and overwriting any existing comment
> 
>   guix archive --authorize --comment "store.example.com"
> 
> For now, since we have no commands for key management, these would be
> enough IMO. Existing commenty an easily be changed in the file, so for
> now we do not need a tool for this.

I think that the comment should either be signed somehow, or the field
name should be "untrusted-comment".

OpenBSD's signify tool (which we have a port of in Guix) does this:

------
$ cat foo.pub
untrusted comment: Leo's example public key
RWRrY3me0s1DYDBfpcUKZ+ul9m8FgdZfz5+cHjxBabEsvDrjL/ecTeUL
------

Minisign, which is a 3rd party tool compatible with signify, also has
trusted comments:

https://github.com/jedisct1/minisign/blob/master/src/manpage.md#notes
This bug report was last modified 8 years and 139 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.