GNU bug report logs - #32674
[PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Sun, 9 Sep 2018 20:45:02 UTC

Severity: normal

Tags: fixed, patch

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Vagrant Cascadian <vagrant <at> debian.org>, Mark H Weaver <mhw <at> netris.org>, 32674 <at> debbugs.gnu.org, Mike Gerwitz <mtg <at> gnu.org>
Subject: [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co.
Date: Thu, 13 Sep 2018 12:29:04 -0400

[Message part 1 (text/plain, inline)]
On Sun, Sep 09, 2018 at 10:43:35PM +0200, Ludovic Courtès wrote:
> Hello Guix,
> 
> (Cc’ing people with expertise and interest in this…)
> 
> This patch changes (guix gnupg) so that it uses keyrings in the “keybox”
> file format to store and read upstream public keys (instead of using the
> user’s default keyring), and so that it uses ‘gpgv --keyring’ instead
> of ‘gpg --verify’.
> 
> ‘gpgv’ is specifically designed for use cases like software signature
> verification against a keyring of “trusted keys” (it’s used by APT and
> Werner Koch recommends it¹.)  A significant difference compared to
> ‘gpg --verify’ is that it doesn’t check whether keys are expired or
> revoked; all that matters is whether the signature is valid and whether
> the signing key is in the specified keyring.  I think that’s what we
> want when checking the signature of a tarball or Git commit.

Great, this is a big improvement. It would be awesome if we could get
similar support in Git (or find another way to authenticate our code).

> This patch changes the behavior of ‘guix refresh -u’, which now uses,
> by default, the keyring at ~/.config/guix/upstream/trustedkeys.kbx.
> That means that if you already have upstream keys in your own keyring,
> you’ll probably want to export them to this keyring.
> 
> Unfortunately the keybox format and tools are poorly documented, which
> is why I gave examples on how to do that in guix.texi.
> 
> Feedback welcome!

LGTM!

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 248 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.