From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52037) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fz6Zr-0003gg-Cg for guix-patches@gnu.org; Sun, 09 Sep 2018 16:45:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fz6Zq-0008Gq-Ci for guix-patches@gnu.org; Sun, 09 Sep 2018 16:45:03 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:46495) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fz6Zq-0008Gk-9J for guix-patches@gnu.org; Sun, 09 Sep 2018 16:45:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fz6Zq-0004xg-75 for guix-patches@gnu.org; Sun, 09 Sep 2018 16:45:02 -0400 Subject: [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co. Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51659) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fz6Yn-0003VO-9S for guix-patches@gnu.org; Sun, 09 Sep 2018 16:43:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fz6Yj-0007NQ-Fy for guix-patches@gnu.org; Sun, 09 Sep 2018 16:43:55 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Sun, 9 Sep 2018 22:43:35 +0200 Message-Id: <20180909204335.21400-1-ludo@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 32674@debbugs.gnu.org Cc: Vagrant Cascadian , Mark H Weaver Hello Guix, (Cc’ing people with expertise and interest in this…) This patch changes (guix gnupg) so that it uses keyrings in the “keybox” file format to store and read upstream public keys (instead of using the user’s default keyring), and so that it uses ‘gpgv --keyring’ instead of ‘gpg --verify’. ‘gpgv’ is specifically designed for use cases like software signature verification against a keyring of “trusted keys” (it’s used by APT and Werner Koch recommends it¹.) A significant difference compared to ‘gpg --verify’ is that it doesn’t check whether keys are expired or revoked; all that matters is whether the signature is valid and whether the signing key is in the specified keyring. I think that’s what we want when checking the signature of a tarball or Git commit. This patch changes the behavior of ‘guix refresh -u’, which now uses, by default, the keyring at ~/.config/guix/upstream/trustedkeys.kbx. That means that if you already have upstream keys in your own keyring, you’ll probably want to export them to this keyring. Unfortunately the keybox format and tools are poorly documented, which is why I gave examples on how to do that in guix.texi. Feedback welcome! Thanks, Ludo’. ¹ https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#58 Ludovic Courtès (1): gnupg: Use 'gpgv' and keybox files; adjust 'guix refresh' accordingly. doc/guix.texi | 30 +++++++++++++++++++++ guix/gnupg.scm | 58 +++++++++++++++++++++++++++++----------- guix/scripts/refresh.scm | 13 +++++++-- 3 files changed, 83 insertions(+), 18 deletions(-) -- 2.18.0