* [bug#32674] [PATCH 1/1] gnupg: Use 'gpgv' and keybox files; adjust 'guix refresh' accordingly.
2018-09-09 20:43 [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co Ludovic Courtès
@ 2018-09-09 20:46 ` Ludovic Courtès
2018-09-10 1:55 ` [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co Mike Gerwitz
2018-09-13 16:29 ` Leo Famulari
2 siblings, 0 replies; 5+ messages in thread
From: Ludovic Courtès @ 2018-09-09 20:46 UTC (permalink / raw)
To: 32674; +Cc: Vagrant Cascadian, Mark H Weaver
* guix/gnupg.scm (%gpgv-command, current-keyring): New variables
(gnupg-verify): Add optional 'keyring' parameter. Use 'gpgv' instead of
'gpg' and pass it '--keyring'.
(gnupg-receive-keys): Add optional 'keyring' parameter and honor it.
(gnupg-verify*): Add #:keyring and honor it.
* guix/scripts/refresh.scm (%options, show-help): Add '--keyring'.
(guix-refresh): Parameterize CURRENT-KEYRING.
* doc/guix.texi (Invoking guix refresh): Document '--keyring' and the
keybox format.
---
doc/guix.texi | 30 +++++++++++++++++++++
guix/gnupg.scm | 58 +++++++++++++++++++++++++++++-----------
guix/scripts/refresh.scm | 13 +++++++--
3 files changed, 83 insertions(+), 18 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 19a497c74..6eccf9e05 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -7268,6 +7268,36 @@ The following options can be used to customize GnuPG operation:
Use @var{command} as the GnuPG 2.x command. @var{command} is searched
for in @code{$PATH}.
+@item --keyring=@var{file}
+Use @var{file} as the keyring for upstream keys. @var{file} must be in the
+@dfn{keybox format}. Keybox files usually have a name ending in @file{.kbx}
+and the GNU@tie{}Privacy Guard (GPG) can manipulate these files
+(@pxref{kbxutil, @command{kbxutil},, gnupg, Using the GNU Privacy Guard}, for
+information on a tool to manipulate keybox files).
+
+When this option is omitted, @command{guix refresh} uses
+@file{~/.config/guix/upstream/trustedkeys.kbx} as the keyring for upstream
+signing keys. OpenPGP signatures are checked against keys from this keyring;
+missing keys are downloaded to this keyring as well (see
+@option{--key-download} below.)
+
+You can export keys from your default GPG keyring into a keybox file using
+commands like this one:
+
+@example
+gpg --export rms@@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx
+@end example
+
+Likewise, you can fetch keys to a specific keybox file like this:
+
+@example
+gpg --no-default-keyring --keyring mykeyring.kbx \
+ --recv-keys @value{OPENPGP-SIGNING-KEY-ID}
+@end example
+
+@ref{GPG Configuration Options, @option{--keyring},, gnupg, Using the GNU
+Privacy Guard}, for more information on GPG's @option{--keyring} option.
+
@item --key-download=@var{policy}
Handle missing OpenPGP keys according to @var{policy}, which may be one
of:
diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index ac0ed5ab2..b30ce461b 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2010, 2011, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
;;;
;;; This file is part of GNU Guix.
@@ -24,9 +24,12 @@
#:use-module (ice-9 rdelim)
#:use-module (ice-9 i18n)
#:use-module (srfi srfi-1)
- #:use-module (guix ui)
+ #:use-module (guix i18n)
+ #:use-module ((guix utils) #:select (config-directory))
+ #:use-module ((guix build utils) #:select (mkdir-p))
#:export (%gpg-command
%openpgp-key-server
+ current-keyring
gnupg-verify
gnupg-verify*
gnupg-status-good-signature?
@@ -42,13 +45,25 @@
;; The GnuPG 2.x command-line program name.
(make-parameter (or (getenv "GUIX_GPG_COMMAND") "gpg")))
+(define %gpgv-command
+ ;; The 'gpgv' program.
+ (make-parameter (or (getenv "GUIX_GPGV_COMMAND") "gpgv")))
+
+(define current-keyring
+ ;; The default keyring of "trusted keys".
+ (make-parameter (string-append (config-directory #:ensure? #f)
+ "/gpg/trustedkeys.kbx")))
+
(define %openpgp-key-server
;; The default key server. Note that keys.gnupg.net appears to be
;; unreliable.
(make-parameter "pgp.mit.edu"))
-(define (gnupg-verify sig file)
- "Verify signature SIG for FILE. Return a status s-exp if GnuPG failed."
+(define* (gnupg-verify sig file
+ #:optional (keyring (current-keyring)))
+ "Verify signature SIG for FILE against the keys in KEYRING. All the keys in
+KEYRING as assumed to be \"trusted\", whether or not they expired or were
+revoked. Return a status s-exp if GnuPG failed."
(define (status-line->sexp line)
;; See file `doc/DETAILS' in GnuPG.
@@ -117,8 +132,8 @@
(loop (read-line input)
(cons (status-line->sexp line) result)))))
- (let* ((pipe (open-pipe* OPEN_READ (%gpg-command) "--status-fd=1"
- "--verify" sig file))
+ (let* ((pipe (open-pipe* OPEN_READ (%gpgv-command) "--status-fd=1"
+ "--keyring" keyring sig file))
(status (parse-status pipe)))
;; Ignore PIPE's exit status since STATUS above should contain all the
;; info we need.
@@ -145,12 +160,21 @@ missing key."
(_ #f)))
status))
-(define (gnupg-receive-keys key-id server)
- (system* (%gpg-command) "--keyserver" server "--recv-keys" key-id))
+(define* (gnupg-receive-keys key-id server
+ #:optional (keyring (current-keyring)))
+ (unless (file-exists? keyring)
+ (mkdir-p (dirname keyring))
+ (call-with-output-file keyring (const #t))) ;create an empty keybox
+
+ (system* (%gpg-command) "--keyserver" server
+ "--no-default-keyring" "--keyring" keyring
+ "--recv-keys" key-id))
(define* (gnupg-verify* sig file
- #:key (key-download 'interactive)
- (server (%openpgp-key-server)))
+ #:key
+ (key-download 'interactive)
+ (server (%openpgp-key-server))
+ (keyring (current-keyring)))
"Like `gnupg-verify', but try downloading the public key if it's missing.
Return #t if the signature was good, #f otherwise. KEY-DOWNLOAD specifies a
download policy for missing OpenPGP keys; allowed values: 'always', 'never',
@@ -161,15 +185,17 @@ and 'interactive' (default)."
(define (download-and-try-again)
;; Download the missing key and try again.
(begin
- (gnupg-receive-keys missing server)
- (gnupg-status-good-signature? (gnupg-verify sig file))))
+ (gnupg-receive-keys missing server keyring)
+ (gnupg-status-good-signature? (gnupg-verify sig file
+ keyring))))
(define (receive?)
(let ((answer
- (begin (format #t (G_ "~a~a~%")
- "Would you like to download this key "
- "and add it to your keyring?")
- (read-line))))
+ (begin
+ (format #t (G_ "Would you like to add this key \
+to keyring '~a'?~%")
+ keyring)
+ (read-line))))
(string-match (locale-yes-regexp) answer)))
(and missing
diff --git a/guix/scripts/refresh.scm b/guix/scripts/refresh.scm
index bcc23bd39..58fc64db1 100644
--- a/guix/scripts/refresh.scm
+++ b/guix/scripts/refresh.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
;;; Copyright © 2014 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2015 Alex Kost <alezost@gmail.com>
@@ -89,6 +89,9 @@
(lambda (opt name arg result)
(alist-cons 'list-dependent? #t result)))
+ (option '("keyring") #t #f
+ (lambda (opt name arg result)
+ (alist-cons 'keyring arg result)))
(option '("key-server") #t #f
(lambda (opt name arg result)
(alist-cons 'key-server arg result)))
@@ -138,6 +141,8 @@ specified with `--select'.\n"))
-l, --list-dependent list top-level dependent packages that would need to
be rebuilt as a result of upgrading PACKAGE..."))
(newline)
+ (display (G_ "
+ --keyring=FILE use FILE as the keyring of upstream OpenPGP keys"))
(display (G_ "
--key-server=HOST use HOST as the OpenPGP key server"))
(display (G_ "
@@ -437,7 +442,11 @@ update would trigger a complete rebuild."
(%openpgp-key-server)))
(%gpg-command
(or (assoc-ref opts 'gpg-command)
- (%gpg-command))))
+ (%gpg-command)))
+ (current-keyring
+ (or (assoc-ref opts 'keyring)
+ (string-append (config-directory)
+ "/upstream/trustedkeys.kbx"))))
(for-each
(cut update-package store <> updaters
#:key-download key-download
--
2.18.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co.
2018-09-09 20:43 [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co Ludovic Courtès
2018-09-09 20:46 ` [bug#32674] [PATCH 1/1] gnupg: Use 'gpgv' and keybox files; adjust 'guix refresh' accordingly Ludovic Courtès
2018-09-10 1:55 ` [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co Mike Gerwitz
@ 2018-09-13 16:29 ` Leo Famulari
2018-09-16 21:02 ` Ludovic Courtès
2 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2018-09-13 16:29 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: Vagrant Cascadian, Mark H Weaver, 32674
[-- Attachment #1: Type: text/plain, Size: 1530 bytes --]
On Sun, Sep 09, 2018 at 10:43:35PM +0200, Ludovic Courtès wrote:
> Hello Guix,
>
> (Cc’ing people with expertise and interest in this…)
>
> This patch changes (guix gnupg) so that it uses keyrings in the “keybox”
> file format to store and read upstream public keys (instead of using the
> user’s default keyring), and so that it uses ‘gpgv --keyring’ instead
> of ‘gpg --verify’.
>
> ‘gpgv’ is specifically designed for use cases like software signature
> verification against a keyring of “trusted keys” (it’s used by APT and
> Werner Koch recommends it¹.) A significant difference compared to
> ‘gpg --verify’ is that it doesn’t check whether keys are expired or
> revoked; all that matters is whether the signature is valid and whether
> the signing key is in the specified keyring. I think that’s what we
> want when checking the signature of a tarball or Git commit.
Great, this is a big improvement. It would be awesome if we could get
similar support in Git (or find another way to authenticate our code).
> This patch changes the behavior of ‘guix refresh -u’, which now uses,
> by default, the keyring at ~/.config/guix/upstream/trustedkeys.kbx.
> That means that if you already have upstream keys in your own keyring,
> you’ll probably want to export them to this keyring.
>
> Unfortunately the keybox format and tools are poorly documented, which
> is why I gave examples on how to do that in guix.texi.
>
> Feedback welcome!
LGTM!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread