From: "Ludovic Courtès" <ludo@gnu.org>
To: 32674@debbugs.gnu.org
Cc: Vagrant Cascadian <vagrant@debian.org>, Mark H Weaver <mhw@netris.org>
Subject: [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co.
Date: Sun, 9 Sep 2018 22:43:35 +0200 [thread overview]
Message-ID: <20180909204335.21400-1-ludo@gnu.org> (raw)
Hello Guix,
(Cc’ing people with expertise and interest in this…)
This patch changes (guix gnupg) so that it uses keyrings in the “keybox”
file format to store and read upstream public keys (instead of using the
user’s default keyring), and so that it uses ‘gpgv --keyring’ instead
of ‘gpg --verify’.
‘gpgv’ is specifically designed for use cases like software signature
verification against a keyring of “trusted keys” (it’s used by APT and
Werner Koch recommends it¹.) A significant difference compared to
‘gpg --verify’ is that it doesn’t check whether keys are expired or
revoked; all that matters is whether the signature is valid and whether
the signing key is in the specified keyring. I think that’s what we
want when checking the signature of a tarball or Git commit.
This patch changes the behavior of ‘guix refresh -u’, which now uses,
by default, the keyring at ~/.config/guix/upstream/trustedkeys.kbx.
That means that if you already have upstream keys in your own keyring,
you’ll probably want to export them to this keyring.
Unfortunately the keybox format and tools are poorly documented, which
is why I gave examples on how to do that in guix.texi.
Feedback welcome!
Thanks,
Ludo’.
¹ https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#58
Ludovic Courtès (1):
gnupg: Use 'gpgv' and keybox files; adjust 'guix refresh' accordingly.
doc/guix.texi | 30 +++++++++++++++++++++
guix/gnupg.scm | 58 +++++++++++++++++++++++++++++-----------
guix/scripts/refresh.scm | 13 +++++++--
3 files changed, 83 insertions(+), 18 deletions(-)
--
2.18.0
next reply other threads:[~2018-09-09 20:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-09 20:43 Ludovic Courtès [this message]
2018-09-09 20:46 ` [bug#32674] [PATCH 1/1] gnupg: Use 'gpgv' and keybox files; adjust 'guix refresh' accordingly Ludovic Courtès
2018-09-10 1:55 ` [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co Mike Gerwitz
2018-09-13 16:29 ` Leo Famulari
2018-09-16 21:02 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180909204335.21400-1-ludo@gnu.org \
--to=ludo@gnu.org \
--cc=32674@debbugs.gnu.org \
--cc=mhw@netris.org \
--cc=vagrant@debian.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).