unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for the key server.
@ 2021-11-14  2:51 Maxim Cournoyer
  2021-11-15 10:31 ` zimoun
  0 siblings, 1 reply; 9+ messages in thread
From: Maxim Cournoyer @ 2021-11-14  2:51 UTC (permalink / raw)
  To: 51822; +Cc: Maxim Cournoyer

The previous default "pool.sks-keyservers.net" doesn't seem to work anymore;
besides, users know best.

* guix/gnupg.scm (%openpgp-key-server): Default to #f, meaning not provided.
(gnupg-receive-keys): Make SERVER and KEYRING keyword arguments.  Adjust doc.
Provide the '--keyserver' argument only when %openpgp-key-server is not #f.
(gnupg-verify*): Do not set a default value for SERVER.  Adjust accordingly.
---
 guix/gnupg.scm | 31 ++++++++++++++++++-------------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index 5fae24b325..2ec77c6a71 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -56,9 +57,9 @@ (define current-keyring
                                  "/gpg/trustedkeys.kbx")))
 
 (define %openpgp-key-server
-  ;; The default key server.  Note that keys.gnupg.net appears to be
-  ;; unreliable.
-  (make-parameter "pool.sks-keyservers.net"))
+  ;; The default key server.  It defaults to #f, which causes GnuPG to use the
+  ;; one it is configured with.
+  (make-parameter #f))
 
 ;; Regexps for status lines.  See file `doc/DETAILS' in GnuPG.
 
@@ -182,22 +183,26 @@ (define (gnupg-status-missing-key? status)
            (_ #f)))
        status))
 
-(define* (gnupg-receive-keys fingerprint/key-id server
-                             #:optional (keyring (current-keyring)))
-  "Download FINGERPRINT/KEY-ID from SERVER, a key server, and add it to
-KEYRING."
+(define* (gnupg-receive-keys fingerprint/key-id
+                             #:key server (keyring (current-keyring)))
+  "Download FINGERPRINT/KEY-ID from SERVER if specified, otherwise from
+GnuPG's default/configure on.  The key is added to KEYRING."
   (unless (file-exists? keyring)
     (mkdir-p (dirname keyring))
-    (call-with-output-file keyring (const #t)))   ;create an empty keybox
+    (call-with-output-file keyring (const #t))) ;create an empty keybox
 
-  (zero? (system* (%gpg-command) "--keyserver" server
-                  "--no-default-keyring" "--keyring" keyring
-                  "--recv-keys" fingerprint/key-id)))
+  (zero? (apply system*
+                `(,(%gpg-command)
+                  ,@(if server
+                        (list "--keyserver" server)
+                        '())
+                  "--no-default-keyring" "--keyring" ,keyring
+                  "--recv-keys" ,fingerprint/key-id))))
 
 (define* (gnupg-verify* sig file
                         #:key
                         (key-download 'interactive)
-                        (server (%openpgp-key-server))
+                        server
                         (keyring (current-keyring)))
   "Like `gnupg-verify', but try downloading the public key if it's missing.
 Return two values: 'valid-signature and a fingerprint/name pair upon success,
@@ -215,7 +220,7 @@ (define* (gnupg-verify* sig file
        (let ((missing (gnupg-status-missing-key? status)))
          (define (download-and-try-again)
            ;; Download the missing key and try again.
-           (if (gnupg-receive-keys missing server keyring)
+           (if (gnupg-receive-keys missing #:server server #:keyring keyring)
                (match (gnupg-status-good-signature?
                        (gnupg-verify sig file keyring))
                  (#f
-- 
2.33.1





^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for the key server.
  2021-11-14  2:51 [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for the key server Maxim Cournoyer
@ 2021-11-15 10:31 ` zimoun
  2021-11-18 13:01   ` Maxim Cournoyer
  0 siblings, 1 reply; 9+ messages in thread
From: zimoun @ 2021-11-15 10:31 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 51822

Hi Maxim,

On Sun, 14 Nov 2021 at 04:00, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:

> The previous default "pool.sks-keyservers.net" doesn't seem to work anymore;

Does this mean some "guix time-machine" could be broken?


Cheers,
simon




^ permalink raw reply	[flat|nested] 9+ messages in thread

* [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for the key server.
  2021-11-15 10:31 ` zimoun
@ 2021-11-18 13:01   ` Maxim Cournoyer
  2021-11-18 13:35     ` zimoun
  0 siblings, 1 reply; 9+ messages in thread
From: Maxim Cournoyer @ 2021-11-18 13:01 UTC (permalink / raw)
  To: zimoun; +Cc: 51822

Hi Simon,

zimoun <zimon.toutoune@gmail.com> writes:

> Hi Maxim,
>
> On Sun, 14 Nov 2021 at 04:00, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>
>> The previous default "pool.sks-keyservers.net" doesn't seem to work anymore;
>
> Does this mean some "guix time-machine" could be broken?

I don't think so, else I fail to see the relationship.

Thanks,

Maxim




^ permalink raw reply	[flat|nested] 9+ messages in thread

* [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for the key server.
  2021-11-18 13:01   ` Maxim Cournoyer
@ 2021-11-18 13:35     ` zimoun
  2021-11-18 14:21       ` Maxim Cournoyer
  0 siblings, 1 reply; 9+ messages in thread
From: zimoun @ 2021-11-18 13:35 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 51822

Hi Maxim,

On Thu, 18 Nov 2021 at 14:01, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
> zimoun <zimon.toutoune@gmail.com> writes:
> > On Sun, 14 Nov 2021 at 04:00, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
> >
> >> The previous default "pool.sks-keyservers.net" doesn't seem to work anymore;
> >
> > Does this mean some "guix time-machine" could be broken?
>
> I don't think so, else I fail to see the relationship.

If a server was used for doing something by Guix at version A, then
this server is now down, is the something still now doable using this
old version A of Guix?  Where this old version A is reachable by "guix
time-machine".

Maybe it does not make sense and it is not relevant.


Cheers,
simon




^ permalink raw reply	[flat|nested] 9+ messages in thread

* [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for the key server.
  2021-11-18 13:35     ` zimoun
@ 2021-11-18 14:21       ` Maxim Cournoyer
  2021-11-18 14:29         ` zimoun
  0 siblings, 1 reply; 9+ messages in thread
From: Maxim Cournoyer @ 2021-11-18 14:21 UTC (permalink / raw)
  To: zimoun; +Cc: 51822

Hi Simon,

zimoun <zimon.toutoune@gmail.com> writes:

> Hi Maxim,
>
> On Thu, 18 Nov 2021 at 14:01, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>> zimoun <zimon.toutoune@gmail.com> writes:
>> > On Sun, 14 Nov 2021 at 04:00, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>> >
>> >> The previous default "pool.sks-keyservers.net" doesn't seem to work anymore;
>> >
>> > Does this mean some "guix time-machine" could be broken?
>>
>> I don't think so, else I fail to see the relationship.
>
> If a server was used for doing something by Guix at version A, then
> this server is now down, is the something still now doable using this
> old version A of Guix?  Where this old version A is reachable by "guix
> time-machine".
>
> Maybe it does not make sense and it is not relevant.

The default server that was hard-coded in Guix (or in GnuPG) in the past
would still not work *now*, even using an older Guix commit :-).

So I do not think it is relevant.

Thanks,

Maxim




^ permalink raw reply	[flat|nested] 9+ messages in thread

* [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for the key server.
  2021-11-18 14:21       ` Maxim Cournoyer
@ 2021-11-18 14:29         ` zimoun
  2021-11-18 15:57           ` Maxim Cournoyer
  0 siblings, 1 reply; 9+ messages in thread
From: zimoun @ 2021-11-18 14:29 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 51822

Re,

On Thu, 18 Nov 2021 at 15:21, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:

> > If a server was used for doing something by Guix at version A, then
> > this server is now down, is the something still now doable using this
> > old version A of Guix?  Where this old version A is reachable by "guix
> > time-machine".
> >
> > Maybe it does not make sense and it is not relevant.
>
> The default server that was hard-coded in Guix (or in GnuPG) in the past
> would still not work *now*, even using an older Guix commit :-).

Yeah, for sure.  My question is: because this server is not working
*now* and hard-coded on previous version, is "guix time-machine" still
working for all the subcommands?  Or is it broken as collateral damage
of server down + hard coded? :-)

Cheers,
simon




^ permalink raw reply	[flat|nested] 9+ messages in thread

* [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for the key server.
  2021-11-18 14:29         ` zimoun
@ 2021-11-18 15:57           ` Maxim Cournoyer
  2021-11-18 16:20             ` zimoun
  0 siblings, 1 reply; 9+ messages in thread
From: Maxim Cournoyer @ 2021-11-18 15:57 UTC (permalink / raw)
  To: zimoun; +Cc: 51822

Hi,

zimoun <zimon.toutoune@gmail.com> writes:

> Re,
>
> On Thu, 18 Nov 2021 at 15:21, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>
>> > If a server was used for doing something by Guix at version A, then
>> > this server is now down, is the something still now doable using this
>> > old version A of Guix?  Where this old version A is reachable by "guix
>> > time-machine".
>> >
>> > Maybe it does not make sense and it is not relevant.
>>
>> The default server that was hard-coded in Guix (or in GnuPG) in the past
>> would still not work *now*, even using an older Guix commit :-).
>
> Yeah, for sure.  My question is: because this server is not working
> *now* and hard-coded on previous version, is "guix time-machine" still
> working for all the subcommands?  Or is it broken as collateral damage
> of server down + hard coded? :-)

guix time-machine is not broken as a whole, but the 'guix refresh
--update' commands that makes use of the (guix gnupg) module would for
sure in whichever commit of Guix, unless pool.sks-keyservers.net is
revived.  As a workaround, the --key-server option can be set to
hkp://keyserver.ubuntu.com (what became the default in recent GnuPG
releases).

Thanks,

Maxim




^ permalink raw reply	[flat|nested] 9+ messages in thread

* [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for the key server.
  2021-11-18 15:57           ` Maxim Cournoyer
@ 2021-11-18 16:20             ` zimoun
  2021-11-18 20:05               ` bug#51822: " Maxim Cournoyer
  0 siblings, 1 reply; 9+ messages in thread
From: zimoun @ 2021-11-18 16:20 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: 51822

Re,

On Thu, 18 Nov 2021 at 16:57, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:

> guix time-machine is not broken as a whole, but the 'guix refresh
> --update' commands that makes use of the (guix gnupg) module would for
> sure in whichever commit of Guix, unless pool.sks-keyservers.net is
> revived.  As a workaround, the --key-server option can be set to
> hkp://keyserver.ubuntu.com (what became the default in recent GnuPG
> releases).

Thanks for explaining.  Perfect if there is a (almost) straightforward
workaround. :-)

LGTM!

Cheers,
simon




^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#51822: [PATCH] gnupg: Honor GnuPG's configuration for the key server.
  2021-11-18 16:20             ` zimoun
@ 2021-11-18 20:05               ` Maxim Cournoyer
  0 siblings, 0 replies; 9+ messages in thread
From: Maxim Cournoyer @ 2021-11-18 20:05 UTC (permalink / raw)
  To: zimoun; +Cc: 51822-done

Hello,

zimoun <zimon.toutoune@gmail.com> writes:

> Re,
>
> On Thu, 18 Nov 2021 at 16:57, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
>
>> guix time-machine is not broken as a whole, but the 'guix refresh
>> --update' commands that makes use of the (guix gnupg) module would for
>> sure in whichever commit of Guix, unless pool.sks-keyservers.net is
>> revived.  As a workaround, the --key-server option can be set to
>> hkp://keyserver.ubuntu.com (what became the default in recent GnuPG
>> releases).
>
> Thanks for explaining.  Perfect if there is a (almost) straightforward
> workaround. :-)
>
> LGTM!

Alright, thanks for the review!  Submitted as 4c91332cce.

Thanks,

Closing.

Maxim




^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2021-11-18 20:06 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-14  2:51 [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for the key server Maxim Cournoyer
2021-11-15 10:31 ` zimoun
2021-11-18 13:01   ` Maxim Cournoyer
2021-11-18 13:35     ` zimoun
2021-11-18 14:21       ` Maxim Cournoyer
2021-11-18 14:29         ` zimoun
2021-11-18 15:57           ` Maxim Cournoyer
2021-11-18 16:20             ` zimoun
2021-11-18 20:05               ` bug#51822: " Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).