From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55525) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g0UVJ-0003Io-VG for guix-patches@gnu.org; Thu, 13 Sep 2018 12:30:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g0UVG-0003Ua-Qi for guix-patches@gnu.org; Thu, 13 Sep 2018 12:30:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:35171) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1g0UVG-0003UO-MH for guix-patches@gnu.org; Thu, 13 Sep 2018 12:30:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1g0UVG-0001tO-Eh for guix-patches@gnu.org; Thu, 13 Sep 2018 12:30:02 -0400 Subject: [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co. Resent-Message-ID: Date: Thu, 13 Sep 2018 12:29:04 -0400 From: Leo Famulari Message-ID: <20180913162904.GA11458@jasmine.lan> References: <20180909204335.21400-1-ludo@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline In-Reply-To: <20180909204335.21400-1-ludo@gnu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Vagrant Cascadian , Mark H Weaver , 32674@debbugs.gnu.org --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2018 at 10:43:35PM +0200, Ludovic Court=C3=A8s wrote: > Hello Guix, >=20 > (Cc=E2=80=99ing people with expertise and interest in this=E2=80=A6) >=20 > This patch changes (guix gnupg) so that it uses keyrings in the =E2=80=9C= keybox=E2=80=9D > file format to store and read upstream public keys (instead of using the > user=E2=80=99s default keyring), and so that it uses =E2=80=98gpgv --keyr= ing=E2=80=99 instead > of =E2=80=98gpg --verify=E2=80=99. >=20 > =E2=80=98gpgv=E2=80=99 is specifically designed for use cases like softwa= re signature > verification against a keyring of =E2=80=9Ctrusted keys=E2=80=9D (it=E2= =80=99s used by APT and > Werner Koch recommends it=C2=B9.) A significant difference compared to > =E2=80=98gpg --verify=E2=80=99 is that it doesn=E2=80=99t check whether k= eys are expired or > revoked; all that matters is whether the signature is valid and whether > the signing key is in the specified keyring. I think that=E2=80=99s what= we > want when checking the signature of a tarball or Git commit. Great, this is a big improvement. It would be awesome if we could get similar support in Git (or find another way to authenticate our code). > This patch changes the behavior of =E2=80=98guix refresh -u=E2=80=99, whi= ch now uses, > by default, the keyring at ~/.config/guix/upstream/trustedkeys.kbx. > That means that if you already have upstream keys in your own keyring, > you=E2=80=99ll probably want to export them to this keyring. >=20 > Unfortunately the keybox format and tools are poorly documented, which > is why I gave examples on how to do that in guix.texi. >=20 > Feedback welcome! LGTM! --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAluakE0ACgkQJkb6MLrK fwj18A//SgCDztHbbpSso09CG51/CJc9RPr6vMQT3h1jbeyWyHG39uRQRoVyKDN9 YiWvM1begFmG0MjKu/g+8SJQWNNrk+tvqfu9g8FkRjQJ2Yrq+7dTIu1MYfVYlGMy XQusLfXGWiTtbYeN8JhbMpp5ErIR8OtEEpm4pxF1b9spUXGfSxbHvz+o4z1NXeUK k2ucgDK8cRQd3rq2PswuJdONyB16oUF9XgYTnCmhg4m32Ngsw8XeYCK4Cb6VRg/0 UumtzUg70Wj43hvtCgUw0uCFpglVQ1jzo9s9XzN9QBour+kEHO7Exzpy51FctoGU VDcWmKk0Ep05f9wkTM1kcXCzxWRapPPs6bUY2gW+ZBb2fOWVdP1VRNExfXIWXUTS 3hilmw1mQIKpfiOPjChhOCEI5MYtU/xJNVAshVAvNc+09VDQOoTYJK3YSemCqy0k LqpAbHojF3nK8exDNT0zt9R/3I9lFSVPBgmrvY1heEpNrbJzUnAKNBqXLdBoqOPi aQpUYNnO1AsoKEpTUvSqA3m3y5KE35SKxtLi0JTq7hAg9QpceVTI6UtfvtA/UlS1 t3OLZmrZRAJ48FDrD6YfHWBesSmClNWFvYAd1PubsYvB1ILfZnP+cIXwhIaOmTiz gJ9W7gdAK3OrsigzLABcBcQyCnjU84QqhDpi4Zsk74XhQ8GsWIM= =4jVF -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+--