GNU bug report logs - #36956
[PATCH] machine: Automatically authorize the coordinator's signing key.

Previous Next

Package: guix-patches;

Reported by: zerodaysfordays <at> sdf.lonestar.org (Jakob L. Kreuze)

Date: Wed, 7 Aug 2019 12:49:02 UTC

Severity: normal

Tags: patch

Done: Christopher Lemmer Webber <cwebber <at> dustycloud.org>

Bug is archived. No further changes may be made.

Full log

Message #14 received at 36956 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Jakob L. Kreuze <zerodaysfordays <at> sdf.lonestar.org>
Cc: 36956 <at> debbugs.gnu.org
Subject: Re: [bug#36956] [PATCH] machine: Automatically authorize the
 coordinator's signing key.
Date: Wed, 07 Aug 2019 21:39:51 +0200

Jakob L. Kreuze <zerodaysfordays <at> sdf.lonestar.org> writes:

> +(define (remote-authorize-signing-key key session)
> +  "Send KEY, a canonical sexp containing a public key, over SESSION and add it
> +to the system ACL file if it has not yet been authorized."
> +  (inferior-remote-eval
> +   `(begin
> +      (use-modules (guix build utils)
> +                   (guix pki)
> +                   (guix utils)
> +                   (gcrypt pk-crypto)
> +                   (srfi srfi-26))
> +
> +      (define acl (current-acl))
> +      (define key (string->canonical-sexp ,(canonical-sexp->string key)))
> +
> +      (unless (authorized-key? key)
> +        (let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
> +          (mkdir-p (dirname %acl-file))
> +          (with-atomic-file-output %acl-file
> +            (cut write-acl acl <>)))))
> +   session))
> +

This will overwrite an existing acl file on the remote with a copy that
differs only in the newly added key.

Is there a chance for corruption, e.g. if acl->public-keys returns
something unexpected?

--
Ricardo
This bug report was last modified 6 years ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.