From: Tobias Geerinckx-Rice via Guix-patches via <guix-patches@gnu.org>
To: 40689@debbugs.gnu.org
Subject: [bug#40689] [PATCH] gnupg: Accept revoked keys.
Date: Fri, 17 Apr 2020 23:25:17 +0200 [thread overview]
Message-ID: <20200417212517.22922-1-me@tobias.gr> (raw)
I (nckx) have revoked all RSA subkeys, in favour of my older and
freshly-refreshed ECDSA ones. This was merely a precaution: to my
knowledge all my RSA private keys have been carefully destroyed and
were never compromised. This commit keeps ‘make authenticate’ happy.
* guix/gnupg.scm (revkeysig-rx): New variable for revoked keys.
(gnupg-verify): Parse it.
(gnupg-status-good-signature?): Accept it as ‘good’ for our purposes.
* build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys.
---
build-aux/git-authenticate.scm | 7 ++++---
guix/gnupg.scm | 11 ++++++++++-
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/build-aux/git-authenticate.scm b/build-aux/git-authenticate.scm
index 37e0c6800c..bb48dddc59 100644
--- a/build-aux/git-authenticate.scm
+++ b/build-aux/git-authenticate.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -147,11 +148,11 @@
("mthl"
"F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37")
("nckx"
- ;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
- "7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C")
- ("nckx (2nd)"
;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
"F5DA 2032 4B87 3D0B 7A38 7672 0DB0 FF88 4F55 6D79")
+ ("nckx (revoked; not compromised)"
+ ;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
+ "7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C")
("niedzejkob"
"E576 BFB2 CF6E B13D F571 33B9 E315 A758 4613 1564")
("ngz"
diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index bf0283f8fe..5fae24b325 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -71,6 +72,8 @@
"^\\[GNUPG:\\] VALIDSIG ([[:xdigit:]]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+) .*$"))
(define expkeysig-rx ; good signature, but expired key
(make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$"))
+(define revkeysig-rx ; good signature, but revoked key
+ (make-regexp "^\\[GNUPG:\\] REVKEYSIG ([[:xdigit:]]+) (.*)$"))
(define errsig-rx
;; Note: The fingeprint part (the last element of the line) appeared in
;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing.
@@ -114,6 +117,11 @@ revoked. Return a status s-exp if GnuPG failed."
(lambda (match)
`(expired-key-signature ,(match:substring match 1) ; fingerprint
,(match:substring match 2)))) ; user name
+ ((regexp-exec revkeysig-rx line)
+ =>
+ (lambda (match)
+ `(revoked-key-signature ,(match:substring match 1) ; fingerprint
+ ,(match:substring match 2)))) ; user name
((regexp-exec errsig-rx line)
=>
(lambda (match)
@@ -157,7 +165,8 @@ a fingerprint/user pair; return #f otherwise."
(match (assq 'valid-signature status)
(('valid-signature fingerprint date timestamp)
(match (or (assq 'good-signature status)
- (assq 'expired-key-signature status))
+ (assq 'expired-key-signature status)
+ (assq 'revoked-key-signature status))
((_ key-id user) (cons fingerprint user))
(_ #f)))
(_
--
2.25.2
next reply other threads:[~2020-04-17 21:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-17 21:25 Tobias Geerinckx-Rice via Guix-patches via [this message]
2020-04-17 21:35 ` bug#40689: [PATCH] gnupg: Accept revoked keys Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200417212517.22922-1-me@tobias.gr \
--to=guix-patches@gnu.org \
--cc=40689@debbugs.gnu.org \
--cc=me@tobias.gr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).