From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id KPfcDcqwcF9UHQAA0tVLHw
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 27 Sep 2020 15:33:30 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id mKayCcqwcF9FVQAAB5/wlQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sun, 27 Sep 2020 15:33:30 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id C16389404D1
	for <larch@yhetil.org>; Sun, 27 Sep 2020 15:33:29 +0000 (UTC)
Received: from localhost ([::1]:50852 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1kMYg4-0003P0-Nb
	for larch@yhetil.org; Sun, 27 Sep 2020 11:33:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:54508)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kMYfg-00031f-Sr
 for guix-patches@gnu.org; Sun, 27 Sep 2020 11:33:04 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:38669)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1kMYfg-0003uY-Jh
 for guix-patches@gnu.org; Sun, 27 Sep 2020 11:33:04 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1kMYfg-0002lh-GH
 for guix-patches@gnu.org; Sun, 27 Sep 2020 11:33:04 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#43650] [PATCH 5/8] services: guix: Generate key pair if needed
 during activation.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sun, 27 Sep 2020 15:33:04 +0000
Resent-Message-ID: <handler.43650.B43650.160122078110594@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 43650
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 43650@debbugs.gnu.org
Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>, janneke@gnu.org
Received: via spool by 43650-submit@debbugs.gnu.org id=B43650.160122078110594
 (code B ref 43650); Sun, 27 Sep 2020 15:33:04 +0000
Received: (at 43650) by debbugs.gnu.org; 27 Sep 2020 15:33:01 +0000
Received: from localhost ([127.0.0.1]:50208 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1kMYfc-0002ko-Vb
 for submit@debbugs.gnu.org; Sun, 27 Sep 2020 11:33:01 -0400
Received: from eggs.gnu.org ([209.51.188.92]:47660)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1kMYfc-0002kN-6T
 for 43650@debbugs.gnu.org; Sun, 27 Sep 2020 11:33:00 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:52536)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1kMYfW-0003td-U3; Sun, 27 Sep 2020 11:32:54 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=38894 helo=gnu.org)
 by fencepost.gnu.org with esmtpsa
 (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82)
 (envelope-from <ludo@gnu.org>)
 id 1kMYfO-00016f-Dr; Sun, 27 Sep 2020 11:32:53 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Date: Sun, 27 Sep 2020 17:32:18 +0200
Message-Id: <20200927153221.9154-5-ludo@gnu.org>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <20200927153221.9154-1-ludo@gnu.org>
References: <20200927153221.9154-1-ludo@gnu.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-Spam-Score: -3.3 (---)
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Spam-Score: 3.49
X-TUID: NBjJRHwwakn1

* gnu/services/base.scm (guix-activation): Invoke "guix archive
--generate-key".
* doc/guix.texi (Invoking guix archive)
(Invoking guix deploy): Mention that 'guix-service-type' takes care of
generating the key pair.
---
 doc/guix.texi         | 11 +++++++----
 gnu/services/base.scm | 13 +++++++++----
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 82241b010a..885f7fcf97 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -5048,9 +5048,11 @@ the store.
 @item --generate-key[=@var{parameters}]
 @cindex signing, archives
 Generate a new key pair for the daemon.  This is a prerequisite before
-archives can be exported with @option{--export}.  Note that this
-operation usually takes time, because it needs to gather enough entropy
-to generate the key pair.
+archives can be exported with @option{--export}.  This
+operation is usually instantaneous but it can take time if the system's
+entropy pool needs to be refilled.  On Guix System,
+@code{guix-service-type} takes care of generating this key pair the
+first boot.
 
 The generated key pair is typically stored under @file{/etc/guix}, in
 @file{signing-key.pub} (public key) and @file{signing-key.sec} (private
@@ -29531,7 +29533,8 @@ a Virtual Private Server (VPS) provider.  In such a case, a different
 
 Do note that you first need to generate a key pair on the coordinator machine
 to allow the daemon to export signed archives of files from the store
-(@pxref{Invoking guix archive}).
+(@pxref{Invoking guix archive}), though this step is automatic on Guix
+System:
 
 @example
 # guix archive --generate-key
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index bef4eef241..04bc991356 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1653,10 +1653,15 @@ proxy of 'guix-daemon'...~%")
      ;; otherwise call 'chown' here, but the problem is that on a COW overlayfs,
      ;; chown leads to an entire copy of the tree, which is a bad idea.
 
-     ;; Optionally authorize substitute server keys.
-     (if authorize-key?
-         (substitute-key-authorization keys guix)
-         #~#f))))
+     ;; Generate a key pair and optionally authorize substitute server keys.
+     #~(begin
+         (unless (file-exists? "/etc/guix/signing-key.pub")
+           (system* #$(file-append guix "/bin/guix") "archive"
+                    "--generate-key"))
+
+         #$(if authorize-key?
+               (substitute-key-authorization keys guix)
+               #~#f)))))
 
 (define* (references-file item #:optional (name "references"))
   "Return a file that contains the list of references of ITEM."
-- 
2.28.0