unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: Ricardo Wurmus <rekado@elephly.net>
To: "Jakob L. Kreuze" <zerodaysfordays@sdf.lonestar.org>
Cc: 36956@debbugs.gnu.org
Subject: [bug#36956] [PATCH] machine: Automatically authorize the coordinator's signing key.
Date: Wed, 07 Aug 2019 21:39:51 +0200	[thread overview]
Message-ID: <874l2sydbs.fsf@elephly.net> (raw)
In-Reply-To: <87ef1x4015.fsf@sdf.lonestar.org>


Jakob L. Kreuze <zerodaysfordays@sdf.lonestar.org> writes:

> +(define (remote-authorize-signing-key key session)
> +  "Send KEY, a canonical sexp containing a public key, over SESSION and add it
> +to the system ACL file if it has not yet been authorized."
> +  (inferior-remote-eval
> +   `(begin
> +      (use-modules (guix build utils)
> +                   (guix pki)
> +                   (guix utils)
> +                   (gcrypt pk-crypto)
> +                   (srfi srfi-26))
> +
> +      (define acl (current-acl))
> +      (define key (string->canonical-sexp ,(canonical-sexp->string key)))
> +
> +      (unless (authorized-key? key)
> +        (let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
> +          (mkdir-p (dirname %acl-file))
> +          (with-atomic-file-output %acl-file
> +            (cut write-acl acl <>)))))
> +   session))
> +

This will overwrite an existing acl file on the remote with a copy that
differs only in the newly added key.

Is there a chance for corruption, e.g. if acl->public-keys returns
something unexpected?

--
Ricardo

  parent reply	other threads:[~2019-08-07 19:41 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-07 12:45 [bug#36956] [PATCH] machine: Automatically authorize the coordinator's signing key Jakob L. Kreuze
2019-08-07 19:18 ` Christopher Lemmer Webber
2019-08-07 19:39 ` Ricardo Wurmus [this message]
2019-08-07 20:52   ` Jakob L. Kreuze
2019-08-09 15:48     ` [bug#36956] [PATCH v2] machine: Automatically authorize the coordinator's signing Jakob L. Kreuze
2019-08-09 15:52     ` [bug#36956] [PATCH] machine: Automatically authorize the coordinator's signing key Jakob L. Kreuze
2019-08-14 20:51       ` Christopher Lemmer Webber
2019-08-15  5:52         ` Ricardo Wurmus
2019-08-15 11:45         ` bug#36956: " Christopher Lemmer Webber

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=874l2sydbs.fsf@elephly.net \
    --to=rekado@elephly.net \
    --cc=36956@debbugs.gnu.org \
    --cc=zerodaysfordays@sdf.lonestar.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).