* [bug#64838] [PATCH] home: Add parcimonie service.
@ 2023-07-24 19:03 Efraim Flashner
2023-08-16 20:32 ` Ludovic Courtès
0 siblings, 1 reply; 4+ messages in thread
From: Efraim Flashner @ 2023-07-24 19:03 UTC (permalink / raw)
To: 64838; +Cc: Efraim Flashner
* gnu/home/services/gnupg.scm (home-parcimonie-service-type,
home-parcimonie-configuration): New variables.
* doc/guix.texi (GNU Privacy Guard): Document it.
---
doc/guix.texi | 55 ++++++++++++++++++++++++
gnu/home/services/gnupg.scm | 86 ++++++++++++++++++++++++++++++++++++-
2 files changed, 139 insertions(+), 2 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 585baf358f..bc86c58cdb 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -43679,6 +43679,61 @@ GNU Privacy Guard
@end deftp
+@cindex Parcimonie, Home service
+The @code{parcimonie} service runs a daemon that slowly refreshes a GnuPG
+public key from a keyserver. Its refreshes one key at a time; between every
+key update parcimonie sleeps a random amount of time, long enough for the
+previously used Tor circuit to expire. This process is meant to make it hard
+for an attacker to correlate the multiple performed key update operations.
+
+As an example, here is how you would configure @code{parcimonie} to refresh the
+keys in your GnuPG keyring, as well as those keyrings created by Guix, such as
+when running @code{guix import}:
+
+@lisp
+(service home-parcimonie-service-type
+ (home-parcimonie-configuration
+ (refresh-guix-keyrings? #t)))
+@end lisp
+
+The service reference is given below.
+
+@defvar parcimonie-service-type
+This is the service type for @command{parcimonie}
+(@uref{https://salsa.debian.org/intrigeri/parcimonie, Parcimonie's web site}).
+Its value must be a @code{home-parcimonie-configuration}, as shown below.
+@end defvar
+
+@c %start of fragment
+
+@deftp {Data Table} home-parcimonie-configuration
+Available @code{home-parcimonie-configuration} fields are:
+
+@table @asis
+@item @code{parcimonie} (default: @code{parcimonie}) (type: file-like)
+The parcimonie package to use.
+
+@item @code{verbose?} (default: @code{#f}) (type: boolean)
+Whether to have more verbose logging from the service.
+
+@item @code{gnupg-already-torified?} (default: @code{#f}) (type: boolean)
+Whether GnuPG is already configured to pass all traffic through
+@uref{https://torproject.org, Tor}.
+
+@item @code{dbus?} (default: @code{#f}) (type: boolean)
+Whether to send activity updates through D-Bus.
+
+@item @code{refresh-guix-keyrings?} (default: @code{#f}) (type: boolean)
+Guix creates a few keyrings in the @var{$XDG_CONFIG_DIR}, such as when running
+@code{guix import} (@pxref{Invoking guix import}). Setting this to @code{#t}
+will also refresh any keyrings which Guix has created.
+
+@item @code{extra-content} (default: @code{#f}) (type: raw-configuration-string)
+Raw content to add to the parcimonie command.
+
+@end table
+
+@end deftp
@c %end of fragment
diff --git a/gnu/home/services/gnupg.scm b/gnu/home/services/gnupg.scm
index 7e9e02a3cc..9b66f7b1cf 100644
--- a/gnu/home/services/gnupg.scm
+++ b/gnu/home/services/gnupg.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2023 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2023 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -23,7 +24,7 @@ (define-module (gnu home services gnupg)
#:use-module (gnu services configuration)
#:use-module (gnu home services)
#:use-module (gnu home services shepherd)
- #:autoload (gnu packages gnupg) (gnupg pinentry)
+ #:autoload (gnu packages gnupg) (gnupg pinentry parcimonie)
#:export (home-gpg-agent-configuration
home-gpg-agent-configuration?
home-gpg-agent-configuration-gnupg
@@ -34,7 +35,17 @@ (define-module (gnu home services gnupg)
home-gpg-agent-configuration-max-cache-ttl-ssh
home-gpg-agent-configuration-extra-content
- home-gpg-agent-service-type))
+ home-gpg-agent-service-type
+
+ home-parcimonie-configuration
+ home-parcimonie-configuration?
+ home-parcimonie-configuration-parcimonie
+ home-parcimonie-configuration-gnupg-already-torified?
+ home-parcimonie-configuration-with-dbus?
+ home-parcimonie-configuration-refresh-guix-keyrings?
+ home-parcimonie-configuration-extra-content
+
+ home-parcimonie-service-type))
(define raw-configuration-string? string?)
@@ -148,3 +159,74 @@ (define home-gpg-agent-service-type
managing OpenPGP and optionally SSH private keys. When SSH support is
enabled, @command{gpg-agent} acts as a drop-in replacement for OpenSSH's
@command{ssh-agent}.")))
+
+(define-configuration/no-serialization home-parcimonie-configuration
+ (parcimonie
+ (file-like parcimonie)
+ "The parcimonie package to use.")
+ (verbose?
+ (boolean #f)
+ "Provide extra output to the log file.")
+ (gnupg-aleady-torified?
+ (boolean #f)
+ "GnuPG is already configured to use tor and parcimonie won't attempt to use
+tor directly.")
+ (dbus?
+ (boolean #f)
+ "Send activity updates on the org.parcimonie.daemon D-Bus service.")
+ (refresh-guix-keyrings?
+ (boolean #f)
+ "Also refresh any Guix keyrings found in the XDG_CONFIG_DIR.")
+ (extra-content
+ (raw-configuration-string "")
+ "Raw content to add to the parcimonie service."))
+
+(define (home-parcimonie-shepherd-service config)
+ "Return a user service to run parcimonie."
+ (match-record config <home-parcimonie-configuration>
+ (parcimonie verbose? gnupg-aleady-torified? dbus?
+ refresh-guix-keyrings? extra-content)
+ (let ((log-file #~(string-append %user-log-dir "/parcimonie.log")))
+ (list (shepherd-service
+ (provision '(parcimonie))
+ (modules '((shepherd support) ;for '%user-log-dir'
+ (guix build utils)
+ (srfi srfi-1)))
+ (start #~(make-forkexec-constructor
+ (cons*
+ #$(file-append parcimonie "/bin/parcimonie")
+ #$@(if verbose?
+ '("--verbose")
+ '())
+ #$@(if gnupg-aleady-torified?
+ '("--gnupg_already_torified")
+ '())
+ #$@(if dbus?
+ '("--with_dbus")
+ '())
+ #$@(if (not (string=? extra-content ""))
+ (list extra-content)
+ '())
+ #$@(if refresh-guix-keyrings?
+ '((append-map
+ (lambda (item)
+ (list (string-append "--gnupg_extra_options="
+ "--keyring=" item)))
+ (find-files
+ (string-append (getenv "XDG_CONFIG_HOME") "/guix")
+ "^trustedkeys\\.kbx$")))
+ '((list))))
+ #:log-file #$log-file))
+ (stop #~(make-kill-destructor))
+ (respawn? #t)
+ (documentation "Incrementally refresh gnupg keyring over Tor"))))))
+
+(define home-parcimonie-service-type
+ (service-type
+ (name 'home-parcimonie)
+ (extensions
+ (list (service-extension home-shepherd-service-type
+ home-parcimonie-shepherd-service)))
+ (default-value (home-parcimonie-configuration))
+ (description
+ "Incrementally refresh GnuPG keyrings over Tor.")))
base-commit: 3adde30af52d4be347d610c0bdd543e0fdd6d64d
--
Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#64838] [PATCH] home: Add parcimonie service.
2023-07-24 19:03 [bug#64838] [PATCH] home: Add parcimonie service Efraim Flashner
@ 2023-08-16 20:32 ` Ludovic Courtès
2023-08-18 13:24 ` Efraim Flashner
2023-09-04 8:21 ` bug#64838: " Efraim Flashner
0 siblings, 2 replies; 4+ messages in thread
From: Ludovic Courtès @ 2023-08-16 20:32 UTC (permalink / raw)
To: Efraim Flashner; +Cc: 64838
Hello,
Efraim Flashner <efraim@flashner.co.il> skribis:
> * gnu/home/services/gnupg.scm (home-parcimonie-service-type,
> home-parcimonie-configuration): New variables.
> * doc/guix.texi (GNU Privacy Guard): Document it.
Very nice!
> +The @code{parcimonie} service runs a daemon that slowly refreshes a GnuPG
> +public key from a keyserver. Its refreshes one key at a time; between every
^
“It”
> +key update parcimonie sleeps a random amount of time, long enough for the
> +previously used Tor circuit to expire. This process is meant to make it hard
> +for an attacker to correlate the multiple performed key update operations.
Maybe: “to correlate the multiple key updates.”
> +As an example, here is how you would configure @code{parcimonie} to refresh the
> +keys in your GnuPG keyring, as well as those keyrings created by Guix, such as
> +when running @code{guix import}:
> +
> +@lisp
> +(service home-parcimonie-service-type
> + (home-parcimonie-configuration
> + (refresh-guix-keyrings? #t)))
> +@end lisp
Maybe add: “This assumes that the Tor anonymous routing daemon is
already running on your system. On Guix System, this can be achieved by
setting up @code{tor-service-type} (@pxref{Networking Services,
@code{tor-service-type}}).”
Apart from these minor nits, LGTM!
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#64838] [PATCH] home: Add parcimonie service.
2023-08-16 20:32 ` Ludovic Courtès
@ 2023-08-18 13:24 ` Efraim Flashner
2023-09-04 8:21 ` bug#64838: " Efraim Flashner
1 sibling, 0 replies; 4+ messages in thread
From: Efraim Flashner @ 2023-08-18 13:24 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 64838, unmatched-paren, Andrew Tropin
[-- Attachment #1: Type: text/plain, Size: 2082 bytes --]
On Wed, Aug 16, 2023 at 10:32:23PM +0200, Ludovic Courtès wrote:
> Hello,
>
> Efraim Flashner <efraim@flashner.co.il> skribis:
>
> > * gnu/home/services/gnupg.scm (home-parcimonie-service-type,
> > home-parcimonie-configuration): New variables.
> > * doc/guix.texi (GNU Privacy Guard): Document it.
>
> Very nice!
>
> > +The @code{parcimonie} service runs a daemon that slowly refreshes a GnuPG
> > +public key from a keyserver. Its refreshes one key at a time; between every
> ^
> “It”
>
> > +key update parcimonie sleeps a random amount of time, long enough for the
> > +previously used Tor circuit to expire. This process is meant to make it hard
> > +for an attacker to correlate the multiple performed key update operations.
>
> Maybe: “to correlate the multiple key updates.”
>
> > +As an example, here is how you would configure @code{parcimonie} to refresh the
> > +keys in your GnuPG keyring, as well as those keyrings created by Guix, such as
> > +when running @code{guix import}:
> > +
> > +@lisp
> > +(service home-parcimonie-service-type
> > + (home-parcimonie-configuration
> > + (refresh-guix-keyrings? #t)))
> > +@end lisp
>
> Maybe add: “This assumes that the Tor anonymous routing daemon is
> already running on your system. On Guix System, this can be achieved by
> setting up @code{tor-service-type} (@pxref{Networking Services,
> @code{tor-service-type}}).”
>
> Apart from these minor nits, LGTM!
Thanks.
Apparently the dbus integration was for the parcimonie applet, but
that's been deprecated so I'll remove that option. Also I think I need
to test the service once or twice more, I need to make sure the
append-map bits work as expected and it doesn't make an extra list. I'll
push it once I've taken care of those bits.
--
Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#64838: [PATCH] home: Add parcimonie service.
2023-08-16 20:32 ` Ludovic Courtès
2023-08-18 13:24 ` Efraim Flashner
@ 2023-09-04 8:21 ` Efraim Flashner
1 sibling, 0 replies; 4+ messages in thread
From: Efraim Flashner @ 2023-09-04 8:21 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 64838-done, paren, Andrew Tropin
[-- Attachment #1: Type: text/plain, Size: 1865 bytes --]
On Wed, Aug 16, 2023 at 10:32:23PM +0200, Ludovic Courtès wrote:
> Hello,
>
> Efraim Flashner <efraim@flashner.co.il> skribis:
>
> > * gnu/home/services/gnupg.scm (home-parcimonie-service-type,
> > home-parcimonie-configuration): New variables.
> > * doc/guix.texi (GNU Privacy Guard): Document it.
>
> Very nice!
>
> > +The @code{parcimonie} service runs a daemon that slowly refreshes a GnuPG
> > +public key from a keyserver. Its refreshes one key at a time; between every
> ^
> “It”
>
> > +key update parcimonie sleeps a random amount of time, long enough for the
> > +previously used Tor circuit to expire. This process is meant to make it hard
> > +for an attacker to correlate the multiple performed key update operations.
>
> Maybe: “to correlate the multiple key updates.”
>
> > +As an example, here is how you would configure @code{parcimonie} to refresh the
> > +keys in your GnuPG keyring, as well as those keyrings created by Guix, such as
> > +when running @code{guix import}:
> > +
> > +@lisp
> > +(service home-parcimonie-service-type
> > + (home-parcimonie-configuration
> > + (refresh-guix-keyrings? #t)))
> > +@end lisp
>
> Maybe add: “This assumes that the Tor anonymous routing daemon is
> already running on your system. On Guix System, this can be achieved by
> setting up @code{tor-service-type} (@pxref{Networking Services,
> @code{tor-service-type}}).”
>
> Apart from these minor nits, LGTM!
>
> Thanks,
> Ludo’.
Thanks. I was able to test it overnight and everything looks good. Patch
pushed finally!
--
Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-09-04 8:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-24 19:03 [bug#64838] [PATCH] home: Add parcimonie service Efraim Flashner
2023-08-16 20:32 ` Ludovic Courtès
2023-08-18 13:24 ` Efraim Flashner
2023-09-04 8:21 ` bug#64838: " Efraim Flashner
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).