GNU bug report logs -
#40565
make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing
Previous Next
Reported by: elaexuotee <at> wilsonb.com
Date: Sun, 12 Apr 2020 03:00:02 UTC
Severity: important
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 40565 in the body.
You can then email your comments to 40565 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#40565; Package
guix.
(Sun, 12 Apr 2020 03:00:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
elaexuotee <at> wilsonb.com:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sun, 12 Apr 2020 03:00:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Playing around with the git repo and following along with:
https://guix.gnu.org/manual/en/html_node/Building-from-Git.html#Building-from-Git
make authenticate is erroring out for me:
$ make authenticate
...
Throw to `srfi-34' with args `(#<condition &message [message: "could not authenticate commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing"] 7f3e2c05eee0>)'.
It looks like the referenced key doesn't exist in the keyservers:
$ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325
gpg: keyserver receive failed: No data
Am I flubbing something up? Or is this a legitimate issue?
Cheers,
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#40565; Package
guix.
(Thu, 16 Apr 2020 16:25:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 40565 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ela, Eric,
elaexuotee--- via Bug reports for GNU Guix 写道:
> It looks like the referenced key doesn't exist in the
> keyservers:
>
> $ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325
> gpg: keyserver receive failed: No data
>
> Am I flubbing something up? Or is this a legitimate issue?
It's not you. ‘make authenticate’ is currently broken for any
practical purpose.
Eric, I didn't find any previous discussion about this. Could you
help us out by publishing this ‘secret’ key somewhere? :-)
Your key at Savannah[0] is a different one and there's no
A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325 on keys.openpgp.org, SKS,
keys.gnupg.net, or pgp.mit.edu.
Kind regards,
T G-R
[0]: curl
https://savannah.gnu.org/people/viewgpg.php?user_id=93889 | gpg
pub rsa2048/0x34532F9FAFCA8B8E 2016-05-26 [SC]
Key fingerprint = 34FF 38BC D151 25A6 E340 A0B5 3453 2F9F
AFCA 8B8E
uid Eric Bavier
<bavier <at> member.fsf.org>
sub rsa2048/0x5A9C1FD168338676 2016-05-26 [E] [expired:
2017-05-26]
sub rsa2048/0x1EBBD204781F962C 2016-05-26 [S] [expired:
2017-05-26]
sub rsa4096/0xFD73CAC719D32566 2017-06-13 [S] [expires:
2021-06-12]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#40565; Package
guix.
(Fri, 17 Apr 2020 01:53:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 40565 <at> debbugs.gnu.org (full text, mbox):
On 16.04.2020 11:24, Tobias Geerinckx-Rice wrote:
> Ela, Eric,
>
> elaexuotee--- via Bug reports for GNU Guix 写道:
>> It looks like the referenced key doesn't exist in the keyservers:
>>
>> $ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325
>> gpg: keyserver receive failed: No data
>>
> Eric, I didn't find any previous discussion about this. Could you
> help us out by publishing this ‘secret’ key somewhere? :-)
>
> Your key at Savannah[0] is a different one and there's no
> A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325 on keys.openpgp.org, SKS,
> keys.gnupg.net, or pgp.mit.edu.
A0C5E352... is a signing subkey. The key on Savannah, 34FF38BC..., is
the primary key. The signature checks out with my primary key.
--
`~Eric
Reply sent
to
Tobias Geerinckx-Rice <me <at> tobias.gr>:
You have taken responsibility.
(Fri, 17 Apr 2020 11:16:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
elaexuotee <at> wilsonb.com:
bug acknowledged by developer.
(Fri, 17 Apr 2020 11:16:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 40565-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Eric,
Eric Bavier 写道:
> A0C5E352... is a signing subkey. The key on Savannah,
> 34FF38BC..., is
> the primary key. The signature checks out with my primary key.
Unbelievable… This isolation is rotting my brain. >_<
Thank you, and closing.
Kind regards,
T G-R
[signature.asc (application/pgp-signature, inline)]
Did not alter fixed versions and reopened.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 17 Apr 2020 11:23:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#40565; Package
guix.
(Fri, 17 Apr 2020 17:40:01 GMT)
Full text and
rfc822 format available.
Message #21 received at 40565 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ela,
Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道:
> It's not you. ‘make authenticate’ is currently broken for any
> practical purpose.
To make it pass for now:
$ curl
"https://savannah.gnu.org/people/viewgpg.php?user_id=147297" \
"https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1"
|
gpg --import --{no-default-,}keyring
~/.config/guix/keyrings/channels/guix.kbx
Kind regards,
T G-R
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#40565; Package
guix.
(Fri, 17 Apr 2020 20:21:01 GMT)
Full text and
rfc822 format available.
Message #24 received at 40565 <at> debbugs.gnu.org (full text, mbox):
So,
This quick & dirty patch fixes ‘make authenticate’ by fetching the
Guix ‘Project Member GPG Keyring’ from Savannah, and an extra key file
for Ivan Petrov who isn't in the member keyring.
I still get stuck on the status below, which looks like it should be
parsed as success but isn't. That's unrelated to this patch though.
Kind regards,
T G-R
[0]: (((unparsed-line "[GNUPG:] NEWSIG") (unparsed-line "[GNUPG:]
KEYEXPIRED 1561675910") (unparsed-line "[GNUPG:] KEYEXPIRED
1561675910") (unparsed-line "[GNUPG:] KEY_CONSIDERED
F5BC5534C36F0087B39D36EF1C9DC4FEB9DB7C4B 0") (signature-id
"rZTN/jnketKOnK9bnnyNMw+ff0M" "2020-01-17" 1579282240) (unparsed-line
"[GNUPG:] KEYEXPIRED 1561675910") (unparsed-line "[GNUPG:] KEYEXPIRED
1561675910") (unparsed-line "[GNUPG:] KEY_CONSIDERED
F5BC5534C36F0087B39D36EF1C9DC4FEB9DB7C4B 0") (unparsed-line "[GNUPG:]
REVKEYSIG D889B0F018C5493C Tobias Geerinckx-Rice <me <at> tobias.gr>")
(valid-signature "7E8FAED0094478EF72E64D16D889B0F018C5493C"
"2020-01-17" 1579282240) (unparsed-line "[GNUPG:]
VERIFICATION_COMPLIANCE_MODE 23")))
Information forwarded
to
bug-guix <at> gnu.org:
bug#40565; Package
guix.
(Fri, 17 Apr 2020 20:21:02 GMT)
Full text and
rfc822 format available.
Message #27 received at 40565 <at> debbugs.gnu.org (full text, mbox):
* build-aux/git-authenticate.scm (%project-keyring-uris)
(import-keyring-uri, import-project-keys): New variables.
(authenticate-commits): Import known project keys before authenticating.
* guix/gnupg.scm (ensure-file): New procedure.
(gnupg-receive-keys): Use it.
(gnupg-import): New exported procedure.
---
build-aux/git-authenticate.scm | 23 +++++++++++++++++++++++
guix/gnupg.scm | 24 ++++++++++++++++++++----
2 files changed, 43 insertions(+), 4 deletions(-)
diff --git a/build-aux/git-authenticate.scm b/build-aux/git-authenticate.scm
index 37e0c6800c..bd33546b7f 100644
--- a/build-aux/git-authenticate.scm
+++ b/build-aux/git-authenticate.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019, 2020 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -23,6 +24,7 @@
(use-modules (git)
(guix git)
(guix gnupg)
+ (guix http-client)
(guix utils)
((guix build utils) #:select (mkdir-p))
(guix i18n)
@@ -225,6 +227,26 @@
;; Commits lacking a signature.
'())
+;; XXX HTTP here is OK but is there any realistic scenario where TLS won't work?
+(define %project-keyring-uris
+ ;; List of ‘project keyring’ URIs containing the %COMMITERS's keys.
+ ;; Signatures not made by any of the %AUTHORIZED-SIGNING-KEYS will still be
+ ;; rejected. Missing keys will be fetched from the %OPENPGP-KEY-SERVER.
+ (list
+ "https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1"
+
+ ;; Additional keys not in the Guix keyring nor on %OPENPGP-KEY-SERVER.
+ "https://savannah.gnu.org/people/viewgpg.php?user_id=147297")) ; ipetkov
+
+(define* (import-keyring-uri uri)
+ (let* ((port (http-fetch uri))
+ (keyring (get-bytevector-all port)))
+ (close-port port)
+ (gnupg-import keyring)))
+
+(define (import-project-keys)
+ (for-each import-keyring-uri %project-keyring-uris))
+
(define-syntax-rule (with-temporary-files file1 file2 exp ...)
(call-with-temporary-output-file
(lambda (file1 port1)
@@ -303,6 +325,7 @@ key: ~a")
each of them. Return an alist showing the number of occurrences of each key."
(parameterize ((current-keyring (string-append (config-directory)
"/keyrings/channels/guix.kbx")))
+ (import-project-keys)
(fold (lambda (commit stats)
(report-progress)
(let ((signer (authenticate-commit repository commit)))
diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index bf0283f8fe..f407dfcab4 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2013 Nikita Karetnikov <nikita <at> karetnikov.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -18,6 +19,7 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (guix gnupg)
+ #:use-module (ice-9 binary-ports)
#:use-module (ice-9 popen)
#:use-module (ice-9 match)
#:use-module (ice-9 regex)
@@ -30,6 +32,7 @@
#:export (%gpg-command
%openpgp-key-server
current-keyring
+ gnupg-import
gnupg-verify
gnupg-verify*
gnupg-status-good-signature?
@@ -173,18 +176,31 @@ missing key or its key id if the fingerprint is unavailable."
(_ #f)))
status))
+(define* (ensure-file file)
+ "Create a new empty FILE if none with that name exists."
+ (unless (file-exists? file)
+ (mkdir-p (dirname file))
+ (call-with-output-file file (const #t))))
+
(define* (gnupg-receive-keys fingerprint/key-id server
#:optional (keyring (current-keyring)))
"Download FINGERPRINT/KEY-ID from SERVER, a key server, and add it to
KEYRING."
- (unless (file-exists? keyring)
- (mkdir-p (dirname keyring))
- (call-with-output-file keyring (const #t))) ;create an empty keybox
-
+ (ensure-file keyring)
(zero? (system* (%gpg-command) "--keyserver" server
"--no-default-keyring" "--keyring" keyring
"--recv-keys" fingerprint/key-id)))
+(define* (gnupg-import keys
+ #:optional (keyring (current-keyring)))
+ "Add all KEYS in a bytevector produced by ‘gpg --export’ to KEYRING."
+ (ensure-file keyring)
+ (let ((pipe (open-pipe* OPEN_WRITE
+ (%gpg-command) "--import" "--batch" "--quiet"
+ "--no-default-keyring" "--keyring" keyring)))
+ (put-bytevector pipe keys)
+ (close-port pipe)))
+
(define* (gnupg-verify* sig file
#:key
(key-download 'interactive)
--
2.25.2
Severity set to 'important' from 'normal'
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Fri, 17 Apr 2020 21:36:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#40565; Package
guix.
(Sun, 19 Apr 2020 11:16:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 40565 <at> debbugs.gnu.org (full text, mbox):
Hi Tobias,
Tobias Geerinckx-Rice <me <at> tobias.gr> skribis:
> * build-aux/git-authenticate.scm (%project-keyring-uris)
> (import-keyring-uri, import-project-keys): New variables.
> (authenticate-commits): Import known project keys before authenticating.
> * guix/gnupg.scm (ensure-file): New procedure.
> (gnupg-receive-keys): Use it.
> (gnupg-import): New exported procedure.
The patch LGTM but it doesn’t apply for some reason. Could you take a
look?
> +;; XXX HTTP here is OK but is there any realistic scenario where TLS won't work?
> +(define %project-keyring-uris
I’m not sure what the XXX comment means. We’re fetching over HTTPS
anyway, right?
> +(define* (import-keyring-uri uri)
> + (let* ((port (http-fetch uri))
> + (keyring (get-bytevector-all port)))
> + (close-port port)
> + (gnupg-import keyring)))
IWBN if ‘gnupg-import’ could take an input port instead of a bytevector.
It’d be great if you could add docstrings for top-level procedures.
> +(define* (gnupg-import keys
> + #:optional (keyring (current-keyring)))
> + "Add all KEYS in a bytevector produced by ‘gpg --export’ to KEYRING."
> + (ensure-file keyring)
> + (let ((pipe (open-pipe* OPEN_WRITE
> + (%gpg-command) "--import" "--batch" "--quiet"
> + "--no-default-keyring" "--keyring" keyring)))
> + (put-bytevector pipe keys)
> + (close-port pipe)))
So what about changing ‘keys’ to ‘port’, and then you would:
(dump-port port pipe)
?
Thanks for addressing this!
Ludo’.
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Mon, 04 May 2020 09:03:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
elaexuotee <at> wilsonb.com:
bug acknowledged by developer.
(Mon, 04 May 2020 09:03:01 GMT)
Full text and
rfc822 format available.
Message #37 received at 40565-done <at> debbugs.gnu.org (full text, mbox):
Hi again Tobias,
Ludovic Courtès <ludo <at> gnu.org> skribis:
> Tobias Geerinckx-Rice <me <at> tobias.gr> skribis:
>
>> * build-aux/git-authenticate.scm (%project-keyring-uris)
>> (import-keyring-uri, import-project-keys): New variables.
>> (authenticate-commits): Import known project keys before authenticating.
>> * guix/gnupg.scm (ensure-file): New procedure.
>> (gnupg-receive-keys): Use it.
>> (gnupg-import): New exported procedure.
>
> The patch LGTM but it doesn’t apply for some reason. Could you take a
> look?
With commit 041dc3a9c0694ada41b86115b9774a23c9d50f73, this change
becomes unnecessary (see <https://issues.guix.gnu.org/issue/22883#64>
about the ‘keyring’ branch.)
Closing!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 01 Jun 2020 11:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 15 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.