* bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing
@ 2020-04-12 2:55 elaexuotee--- via Bug reports for GNU Guix
2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-17 20:20 ` bug#40565: [PATCH 0/1] bug#40565: make authenticate fails Tobias Geerinckx-Rice via Bug reports for GNU Guix
0 siblings, 2 replies; 9+ messages in thread
From: elaexuotee--- via Bug reports for GNU Guix @ 2020-04-12 2:55 UTC (permalink / raw)
To: 40565
[-- Attachment #1.1: Type: text/plain, Size: 693 bytes --]
Playing around with the git repo and following along with:
https://guix.gnu.org/manual/en/html_node/Building-from-Git.html#Building-from-Git
make authenticate is erroring out for me:
$ make authenticate
...
Throw to `srfi-34' with args `(#<condition &message [message: "could not authenticate commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing"] 7f3e2c05eee0>)'.
It looks like the referenced key doesn't exist in the keyservers:
$ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325
gpg: keyserver receive failed: No data
Am I flubbing something up? Or is this a legitimate issue?
Cheers,
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing
2020-04-12 2:55 bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing elaexuotee--- via Bug reports for GNU Guix
@ 2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-17 1:52 ` Eric Bavier
2020-04-17 17:39 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-17 20:20 ` bug#40565: [PATCH 0/1] bug#40565: make authenticate fails Tobias Geerinckx-Rice via Bug reports for GNU Guix
1 sibling, 2 replies; 9+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-16 16:24 UTC (permalink / raw)
To: 40565; +Cc: Eric Bavier
[-- Attachment #1: Type: text/plain, Size: 1237 bytes --]
Ela, Eric,
elaexuotee--- via Bug reports for GNU Guix 写道:
> It looks like the referenced key doesn't exist in the
> keyservers:
>
> $ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325
> gpg: keyserver receive failed: No data
>
> Am I flubbing something up? Or is this a legitimate issue?
It's not you. ‘make authenticate’ is currently broken for any
practical purpose.
Eric, I didn't find any previous discussion about this. Could you
help us out by publishing this ‘secret’ key somewhere? :-)
Your key at Savannah[0] is a different one and there's no
A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325 on keys.openpgp.org, SKS,
keys.gnupg.net, or pgp.mit.edu.
Kind regards,
T G-R
[0]: curl
https://savannah.gnu.org/people/viewgpg.php?user_id=93889 | gpg
pub rsa2048/0x34532F9FAFCA8B8E 2016-05-26 [SC]
Key fingerprint = 34FF 38BC D151 25A6 E340 A0B5 3453 2F9F
AFCA 8B8E
uid Eric Bavier
<bavier@member.fsf.org>
sub rsa2048/0x5A9C1FD168338676 2016-05-26 [E] [expired:
2017-05-26]
sub rsa2048/0x1EBBD204781F962C 2016-05-26 [S] [expired:
2017-05-26]
sub rsa4096/0xFD73CAC719D32566 2017-06-13 [S] [expires:
2021-06-12]
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing
2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2020-04-17 1:52 ` Eric Bavier
2020-04-17 11:15 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-17 17:39 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
1 sibling, 1 reply; 9+ messages in thread
From: Eric Bavier @ 2020-04-17 1:52 UTC (permalink / raw)
To: Tobias Geerinckx-Rice; +Cc: 40565
On 16.04.2020 11:24, Tobias Geerinckx-Rice wrote:
> Ela, Eric,
>
> elaexuotee--- via Bug reports for GNU Guix 写道:
>> It looks like the referenced key doesn't exist in the keyservers:
>>
>> $ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325
>> gpg: keyserver receive failed: No data
>>
> Eric, I didn't find any previous discussion about this. Could you
> help us out by publishing this ‘secret’ key somewhere? :-)
>
> Your key at Savannah[0] is a different one and there's no
> A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325 on keys.openpgp.org, SKS,
> keys.gnupg.net, or pgp.mit.edu.
A0C5E352... is a signing subkey. The key on Savannah, 34FF38BC..., is
the primary key. The signature checks out with my primary key.
--
`~Eric
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing
2020-04-17 1:52 ` Eric Bavier
@ 2020-04-17 11:15 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
0 siblings, 0 replies; 9+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-17 11:15 UTC (permalink / raw)
To: 40565-done
[-- Attachment #1: Type: text/plain, Size: 291 bytes --]
Eric,
Eric Bavier 写道:
> A0C5E352... is a signing subkey. The key on Savannah,
> 34FF38BC..., is
> the primary key. The signature checks out with my primary key.
Unbelievable… This isolation is rotting my brain. >_<
Thank you, and closing.
Kind regards,
T G-R
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing
2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-17 1:52 ` Eric Bavier
@ 2020-04-17 17:39 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
1 sibling, 0 replies; 9+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-17 17:39 UTC (permalink / raw)
To: 40565
[-- Attachment #1: Type: text/plain, Size: 458 bytes --]
Ela,
Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道:
> It's not you. ‘make authenticate’ is currently broken for any
> practical purpose.
To make it pass for now:
$ curl
"https://savannah.gnu.org/people/viewgpg.php?user_id=147297" \
"https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1"
|
gpg --import --{no-default-,}keyring
~/.config/guix/keyrings/channels/guix.kbx
Kind regards,
T G-R
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: [PATCH 0/1] bug#40565: make authenticate fails
2020-04-12 2:55 bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing elaexuotee--- via Bug reports for GNU Guix
2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2020-04-17 20:20 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-17 20:20 ` bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah Tobias Geerinckx-Rice via Bug reports for GNU Guix
1 sibling, 1 reply; 9+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-17 20:20 UTC (permalink / raw)
To: 40565
So,
This quick & dirty patch fixes ‘make authenticate’ by fetching the
Guix ‘Project Member GPG Keyring’ from Savannah, and an extra key file
for Ivan Petrov who isn't in the member keyring.
I still get stuck on the status below, which looks like it should be
parsed as success but isn't. That's unrelated to this patch though.
Kind regards,
T G-R
[0]: (((unparsed-line "[GNUPG:] NEWSIG") (unparsed-line "[GNUPG:]
KEYEXPIRED 1561675910") (unparsed-line "[GNUPG:] KEYEXPIRED
1561675910") (unparsed-line "[GNUPG:] KEY_CONSIDERED
F5BC5534C36F0087B39D36EF1C9DC4FEB9DB7C4B 0") (signature-id
"rZTN/jnketKOnK9bnnyNMw+ff0M" "2020-01-17" 1579282240) (unparsed-line
"[GNUPG:] KEYEXPIRED 1561675910") (unparsed-line "[GNUPG:] KEYEXPIRED
1561675910") (unparsed-line "[GNUPG:] KEY_CONSIDERED
F5BC5534C36F0087B39D36EF1C9DC4FEB9DB7C4B 0") (unparsed-line "[GNUPG:]
REVKEYSIG D889B0F018C5493C Tobias Geerinckx-Rice <me@tobias.gr>")
(valid-signature "7E8FAED0094478EF72E64D16D889B0F018C5493C"
"2020-01-17" 1579282240) (unparsed-line "[GNUPG:]
VERIFICATION_COMPLIANCE_MODE 23")))
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah.
2020-04-17 20:20 ` bug#40565: [PATCH 0/1] bug#40565: make authenticate fails Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2020-04-17 20:20 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-19 11:15 ` Ludovic Courtès
0 siblings, 1 reply; 9+ messages in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-17 20:20 UTC (permalink / raw)
To: 40565
* build-aux/git-authenticate.scm (%project-keyring-uris)
(import-keyring-uri, import-project-keys): New variables.
(authenticate-commits): Import known project keys before authenticating.
* guix/gnupg.scm (ensure-file): New procedure.
(gnupg-receive-keys): Use it.
(gnupg-import): New exported procedure.
---
build-aux/git-authenticate.scm | 23 +++++++++++++++++++++++
guix/gnupg.scm | 24 ++++++++++++++++++++----
2 files changed, 43 insertions(+), 4 deletions(-)
diff --git a/build-aux/git-authenticate.scm b/build-aux/git-authenticate.scm
index 37e0c6800c..bd33546b7f 100644
--- a/build-aux/git-authenticate.scm
+++ b/build-aux/git-authenticate.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -23,6 +24,7 @@
(use-modules (git)
(guix git)
(guix gnupg)
+ (guix http-client)
(guix utils)
((guix build utils) #:select (mkdir-p))
(guix i18n)
@@ -225,6 +227,26 @@
;; Commits lacking a signature.
'())
+;; XXX HTTP here is OK but is there any realistic scenario where TLS won't work?
+(define %project-keyring-uris
+ ;; List of ‘project keyring’ URIs containing the %COMMITERS's keys.
+ ;; Signatures not made by any of the %AUTHORIZED-SIGNING-KEYS will still be
+ ;; rejected. Missing keys will be fetched from the %OPENPGP-KEY-SERVER.
+ (list
+ "https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1"
+
+ ;; Additional keys not in the Guix keyring nor on %OPENPGP-KEY-SERVER.
+ "https://savannah.gnu.org/people/viewgpg.php?user_id=147297")) ; ipetkov
+
+(define* (import-keyring-uri uri)
+ (let* ((port (http-fetch uri))
+ (keyring (get-bytevector-all port)))
+ (close-port port)
+ (gnupg-import keyring)))
+
+(define (import-project-keys)
+ (for-each import-keyring-uri %project-keyring-uris))
+
(define-syntax-rule (with-temporary-files file1 file2 exp ...)
(call-with-temporary-output-file
(lambda (file1 port1)
@@ -303,6 +325,7 @@ key: ~a")
each of them. Return an alist showing the number of occurrences of each key."
(parameterize ((current-keyring (string-append (config-directory)
"/keyrings/channels/guix.kbx")))
+ (import-project-keys)
(fold (lambda (commit stats)
(report-progress)
(let ((signer (authenticate-commit repository commit)))
diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index bf0283f8fe..f407dfcab4 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -18,6 +19,7 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (guix gnupg)
+ #:use-module (ice-9 binary-ports)
#:use-module (ice-9 popen)
#:use-module (ice-9 match)
#:use-module (ice-9 regex)
@@ -30,6 +32,7 @@
#:export (%gpg-command
%openpgp-key-server
current-keyring
+ gnupg-import
gnupg-verify
gnupg-verify*
gnupg-status-good-signature?
@@ -173,18 +176,31 @@ missing key or its key id if the fingerprint is unavailable."
(_ #f)))
status))
+(define* (ensure-file file)
+ "Create a new empty FILE if none with that name exists."
+ (unless (file-exists? file)
+ (mkdir-p (dirname file))
+ (call-with-output-file file (const #t))))
+
(define* (gnupg-receive-keys fingerprint/key-id server
#:optional (keyring (current-keyring)))
"Download FINGERPRINT/KEY-ID from SERVER, a key server, and add it to
KEYRING."
- (unless (file-exists? keyring)
- (mkdir-p (dirname keyring))
- (call-with-output-file keyring (const #t))) ;create an empty keybox
-
+ (ensure-file keyring)
(zero? (system* (%gpg-command) "--keyserver" server
"--no-default-keyring" "--keyring" keyring
"--recv-keys" fingerprint/key-id)))
+(define* (gnupg-import keys
+ #:optional (keyring (current-keyring)))
+ "Add all KEYS in a bytevector produced by ‘gpg --export’ to KEYRING."
+ (ensure-file keyring)
+ (let ((pipe (open-pipe* OPEN_WRITE
+ (%gpg-command) "--import" "--batch" "--quiet"
+ "--no-default-keyring" "--keyring" keyring)))
+ (put-bytevector pipe keys)
+ (close-port pipe)))
+
(define* (gnupg-verify* sig file
#:key
(key-download 'interactive)
--
2.25.2
^ permalink raw reply related [flat|nested] 9+ messages in thread
* bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah.
2020-04-17 20:20 ` bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah Tobias Geerinckx-Rice via Bug reports for GNU Guix
@ 2020-04-19 11:15 ` Ludovic Courtès
2020-05-04 9:02 ` Ludovic Courtès
0 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2020-04-19 11:15 UTC (permalink / raw)
To: Tobias Geerinckx-Rice; +Cc: 40565
Hi Tobias,
Tobias Geerinckx-Rice <me@tobias.gr> skribis:
> * build-aux/git-authenticate.scm (%project-keyring-uris)
> (import-keyring-uri, import-project-keys): New variables.
> (authenticate-commits): Import known project keys before authenticating.
> * guix/gnupg.scm (ensure-file): New procedure.
> (gnupg-receive-keys): Use it.
> (gnupg-import): New exported procedure.
The patch LGTM but it doesn’t apply for some reason. Could you take a
look?
> +;; XXX HTTP here is OK but is there any realistic scenario where TLS won't work?
> +(define %project-keyring-uris
I’m not sure what the XXX comment means. We’re fetching over HTTPS
anyway, right?
> +(define* (import-keyring-uri uri)
> + (let* ((port (http-fetch uri))
> + (keyring (get-bytevector-all port)))
> + (close-port port)
> + (gnupg-import keyring)))
IWBN if ‘gnupg-import’ could take an input port instead of a bytevector.
It’d be great if you could add docstrings for top-level procedures.
> +(define* (gnupg-import keys
> + #:optional (keyring (current-keyring)))
> + "Add all KEYS in a bytevector produced by ‘gpg --export’ to KEYRING."
> + (ensure-file keyring)
> + (let ((pipe (open-pipe* OPEN_WRITE
> + (%gpg-command) "--import" "--batch" "--quiet"
> + "--no-default-keyring" "--keyring" keyring)))
> + (put-bytevector pipe keys)
> + (close-port pipe)))
So what about changing ‘keys’ to ‘port’, and then you would:
(dump-port port pipe)
?
Thanks for addressing this!
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah.
2020-04-19 11:15 ` Ludovic Courtès
@ 2020-05-04 9:02 ` Ludovic Courtès
0 siblings, 0 replies; 9+ messages in thread
From: Ludovic Courtès @ 2020-05-04 9:02 UTC (permalink / raw)
To: Tobias Geerinckx-Rice; +Cc: 40565-done
Hi again Tobias,
Ludovic Courtès <ludo@gnu.org> skribis:
> Tobias Geerinckx-Rice <me@tobias.gr> skribis:
>
>> * build-aux/git-authenticate.scm (%project-keyring-uris)
>> (import-keyring-uri, import-project-keys): New variables.
>> (authenticate-commits): Import known project keys before authenticating.
>> * guix/gnupg.scm (ensure-file): New procedure.
>> (gnupg-receive-keys): Use it.
>> (gnupg-import): New exported procedure.
>
> The patch LGTM but it doesn’t apply for some reason. Could you take a
> look?
With commit 041dc3a9c0694ada41b86115b9774a23c9d50f73, this change
becomes unnecessary (see <https://issues.guix.gnu.org/issue/22883#64>
about the ‘keyring’ branch.)
Closing!
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-05-04 9:03 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-12 2:55 bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing elaexuotee--- via Bug reports for GNU Guix
2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-17 1:52 ` Eric Bavier
2020-04-17 11:15 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-17 17:39 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-17 20:20 ` bug#40565: [PATCH 0/1] bug#40565: make authenticate fails Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-17 20:20 ` bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah Tobias Geerinckx-Rice via Bug reports for GNU Guix
2020-04-19 11:15 ` Ludovic Courtès
2020-05-04 9:02 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).