GNU bug report logs -
#40689
[PATCH] gnupg: Accept revoked keys.
Previous Next
Reported by: Tobias Geerinckx-Rice <me <at> tobias.gr>
Date: Fri, 17 Apr 2020 21:26:01 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 40689 in the body.
You can then email your comments to 40689 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#40689; Package
guix-patches.
(Fri, 17 Apr 2020 21:26:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Tobias Geerinckx-Rice <me <at> tobias.gr>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Fri, 17 Apr 2020 21:26:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
I (nckx) have revoked all RSA subkeys, in favour of my older and
freshly-refreshed ECDSA ones. This was merely a precaution: to my
knowledge all my RSA private keys have been carefully destroyed and
were never compromised. This commit keeps ‘make authenticate’ happy.
* guix/gnupg.scm (revkeysig-rx): New variable for revoked keys.
(gnupg-verify): Parse it.
(gnupg-status-good-signature?): Accept it as ‘good’ for our purposes.
* build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys.
---
build-aux/git-authenticate.scm | 7 ++++---
guix/gnupg.scm | 11 ++++++++++-
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/build-aux/git-authenticate.scm b/build-aux/git-authenticate.scm
index 37e0c6800c..bb48dddc59 100644
--- a/build-aux/git-authenticate.scm
+++ b/build-aux/git-authenticate.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019, 2020 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -147,11 +148,11 @@
("mthl"
"F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37")
("nckx"
- ;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
- "7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C")
- ("nckx (2nd)"
;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
"F5DA 2032 4B87 3D0B 7A38 7672 0DB0 FF88 4F55 6D79")
+ ("nckx (revoked; not compromised)"
+ ;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
+ "7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C")
("niedzejkob"
"E576 BFB2 CF6E B13D F571 33B9 E315 A758 4613 1564")
("ngz"
diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index bf0283f8fe..5fae24b325 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2013 Nikita Karetnikov <nikita <at> karetnikov.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me <at> tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -71,6 +72,8 @@
"^\\[GNUPG:\\] VALIDSIG ([[:xdigit:]]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+) .*$"))
(define expkeysig-rx ; good signature, but expired key
(make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$"))
+(define revkeysig-rx ; good signature, but revoked key
+ (make-regexp "^\\[GNUPG:\\] REVKEYSIG ([[:xdigit:]]+) (.*)$"))
(define errsig-rx
;; Note: The fingeprint part (the last element of the line) appeared in
;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing.
@@ -114,6 +117,11 @@ revoked. Return a status s-exp if GnuPG failed."
(lambda (match)
`(expired-key-signature ,(match:substring match 1) ; fingerprint
,(match:substring match 2)))) ; user name
+ ((regexp-exec revkeysig-rx line)
+ =>
+ (lambda (match)
+ `(revoked-key-signature ,(match:substring match 1) ; fingerprint
+ ,(match:substring match 2)))) ; user name
((regexp-exec errsig-rx line)
=>
(lambda (match)
@@ -157,7 +165,8 @@ a fingerprint/user pair; return #f otherwise."
(match (assq 'valid-signature status)
(('valid-signature fingerprint date timestamp)
(match (or (assq 'good-signature status)
- (assq 'expired-key-signature status))
+ (assq 'expired-key-signature status)
+ (assq 'revoked-key-signature status))
((_ key-id user) (cons fingerprint user))
(_ #f)))
(_
--
2.25.2
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Fri, 17 Apr 2020 21:36:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Tobias Geerinckx-Rice <me <at> tobias.gr>:
bug acknowledged by developer.
(Fri, 17 Apr 2020 21:36:03 GMT)
Full text and
rfc822 format available.
Message #10 received at 40689-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Tobias Geerinckx-Rice <me <at> tobias.gr> skribis:
> I (nckx) have revoked all RSA subkeys, in favour of my older and
> freshly-refreshed ECDSA ones. This was merely a precaution: to my
> knowledge all my RSA private keys have been carefully destroyed and
> were never compromised. This commit keeps ‘make authenticate’ happy.
>
> * guix/gnupg.scm (revkeysig-rx): New variable for revoked keys.
> (gnupg-verify): Parse it.
> (gnupg-status-good-signature?): Accept it as ‘good’ for our purposes.
> * build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys.
Great. Applied on your behalf, thanks!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 16 May 2020 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 86 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.