GNU bug report logs - #32674
[PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Sun, 9 Sep 2018 20:45:02 UTC

Severity: normal

Tags: fixed, patch

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: 32674 <at> debbugs.gnu.org
Cc: Vagrant Cascadian <vagrant <at> debian.org>, Mark H Weaver <mhw <at> netris.org>, Ludovic Courtès <ludo <at> gnu.org>, Mike Gerwitz <mtg <at> gnu.org>, Leo Famulari <leo <at> famulari.name>
Subject: [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co.
Date: Sun,  9 Sep 2018 22:43:35 +0200

Hello Guix,

(Cc’ing people with expertise and interest in this…)

This patch changes (guix gnupg) so that it uses keyrings in the “keybox”
file format to store and read upstream public keys (instead of using the
user’s default keyring), and so that it uses ‘gpgv --keyring’ instead
of ‘gpg --verify’.

‘gpgv’ is specifically designed for use cases like software signature
verification against a keyring of “trusted keys” (it’s used by APT and
Werner Koch recommends it¹.)  A significant difference compared to
‘gpg --verify’ is that it doesn’t check whether keys are expired or
revoked; all that matters is whether the signature is valid and whether
the signing key is in the specified keyring.  I think that’s what we
want when checking the signature of a tarball or Git commit.

This patch changes the behavior of ‘guix refresh -u’, which now uses,
by default, the keyring at ~/.config/guix/upstream/trustedkeys.kbx.
That means that if you already have upstream keys in your own keyring,
you’ll probably want to export them to this keyring.

Unfortunately the keybox format and tools are poorly documented, which
is why I gave examples on how to do that in guix.texi.

Feedback welcome!

Thanks,
Ludo’.

¹ https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#58

Ludovic Courtès (1):
  gnupg: Use 'gpgv' and keybox files; adjust 'guix refresh' accordingly.

 doc/guix.texi            | 30 +++++++++++++++++++++
 guix/gnupg.scm           | 58 +++++++++++++++++++++++++++++-----------
 guix/scripts/refresh.scm | 13 +++++++--
 3 files changed, 83 insertions(+), 18 deletions(-)

-- 
2.18.0
This bug report was last modified 6 years and 248 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.