From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:470:142:3::10]:52418)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hw79X-0000dJ-NP
 for guix-patches@gnu.org; Fri, 09 Aug 2019 11:50:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hw79W-0005hb-F0
 for guix-patches@gnu.org; Fri, 09 Aug 2019 11:50:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:34324)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1hw79W-0005h5-B3
 for guix-patches@gnu.org; Fri, 09 Aug 2019 11:50:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hw79W-0006SJ-6z
 for guix-patches@gnu.org; Fri, 09 Aug 2019 11:50:02 -0400
Subject: [bug#36956] [PATCH v2] machine: Automatically authorize the
 coordinator's signing
Resent-Message-ID: <handler.36956.B36956.156536574924747@debbugs.gnu.org>
From: zerodaysfordays@sdf.lonestar.org (Jakob L. Kreuze)
References: <87ef1x4015.fsf@sdf.lonestar.org> <874l2sydbs.fsf@elephly.net>
 <87zhkkk8a6.fsf@sdf.lonestar.org>
Date: Fri, 09 Aug 2019 11:48:48 -0400
In-Reply-To: <87zhkkk8a6.fsf@sdf.lonestar.org> (Jakob L. Kreuze's message of
 "Wed, 07 Aug 2019 16:52:33 -0400")
Message-ID: <87k1bmnxun.fsf_-_@sdf.lonestar.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Christopher Lemmer Webber <cwebber@dustycloud.org>
Cc: 36956@debbugs.gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

* guix/ssh.scm (remote-authorize-signing-key): New variable.
* gnu/machine/ssh.scm (deploy-managed-host): Authorize coordinator's
signing key before any invocations of 'remote-eval'.
(deploy-managed-host): Display an error if a signing key does not exist.
* doc/guix.texi (Invoking guix deploy): Remove section describing manual
signing key authorization.
(Invoking guix deploy): Add section describing the 'authorize?' field.
=2D--
 doc/guix.texi       |  3 +++
 gnu/machine/ssh.scm | 31 +++++++++++++++++++++++++------
 guix/ssh.scm        | 23 +++++++++++++++++++++++
 3 files changed, 51 insertions(+), 6 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 1478749d7d..e9a0d7aa22 100644
=2D-- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25583,6 +25583,9 @@ with an @code{environment} of @code{managed-host-en=
vironment-type}.
=20
 @table @asis
 @item @code{host-name}
+@item @code{authorize?} (default: @code{#t})
+If true, the coordinator's signing key will be added to the remote's ACL
+keyring.
 @item @code{port} (default: @code{22})
 @item @code{user} (default: @code{"root"})
 @item @code{identity} (default: @code{#f})
diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm
index 57af0e4bff..320bc7fdb4 100644
=2D-- a/gnu/machine/ssh.scm
+++ b/gnu/machine/ssh.scm
@@ -28,13 +28,16 @@
   #:use-module (guix i18n)
   #:use-module (guix modules)
   #:use-module (guix monads)
+  #:use-module (guix pki)
   #:use-module (guix records)
   #:use-module (guix remote)
   #:use-module (guix scripts system reconfigure)
   #:use-module (guix ssh)
   #:use-module (guix store)
   #:use-module (guix utils)
+  #:use-module (gcrypt pk-crypto)
   #:use-module (ice-9 match)
+  #:use-module (ice-9 textual-ports)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
@@ -48,6 +51,7 @@
=20
             machine-ssh-configuration-host-name
             machine-ssh-configuration-build-locally?
+            machine-ssh-configuration-authorize?
             machine-ssh-configuration-port
             machine-ssh-configuration-user
             machine-ssh-configuration-session))
@@ -70,16 +74,18 @@
   make-machine-ssh-configuration
   machine-ssh-configuration?
   this-machine-ssh-configuration
=2D  (host-name      machine-ssh-configuration-host-name) ; string
=2D  (build-locally? machine-ssh-configuration-build-locally?
+  (host-name      machine-ssh-configuration-host-name)     ; string
+  (build-locally? machine-ssh-configuration-build-locally? ; boolean
                   (default #t))
=2D  (port           machine-ssh-configuration-port       ; integer
+  (authorize?     machine-ssh-configuration-authorize?     ; boolean
+                  (default #t))
+  (port           machine-ssh-configuration-port           ; integer
                   (default 22))
=2D  (user           machine-ssh-configuration-user       ; string
+  (user           machine-ssh-configuration-user           ; string
                   (default "root"))
=2D  (identity       machine-ssh-configuration-identity   ; path to a priva=
te key
+  (identity       machine-ssh-configuration-identity       ; path to a pri=
vate key
                   (default #f))
=2D  (session        machine-ssh-configuration-session    ; session
+  (session        machine-ssh-configuration-session        ; session
                   (default #f)))
=20
 (define (machine-ssh-session machine)
@@ -339,6 +345,19 @@ the 'should-roll-back' field set to SHOULD-ROLL-BACK?"
   "Internal implementation of 'deploy-machine' for MACHINE instances with =
an
 environment type of 'managed-host."
   (maybe-raise-unsupported-configuration-error machine)
+  (when (machine-ssh-configuration-authorize?
+         (machine-configuration machine))
+    (unless (file-exists? %public-key-file)
+      (raise (condition
+              (&message
+               (message (format #f (G_ "no signing key '~a'. \
+have you run 'guix archive --generate-key?'")
+                                %public-key-file))))))
+    (remote-authorize-signing-key (call-with-input-file %public-key-file
+                                    (lambda (port)
+                                      (string->canonical-sexp
+                                       (get-string-all port))))
+                                  (machine-ssh-session machine)))
   (mlet %store-monad ((_ (check-deployment-sanity machine))
                       (boot-parameters (machine-boot-parameters machine)))
     (let* ((os (machine-operating-system machine))
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 90311127a1..24834c6f68 100644
=2D-- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -21,6 +21,7 @@
   #:use-module (guix inferior)
   #:use-module (guix i18n)
   #:use-module ((guix utils) #:select (&fix-hint))
+  #:use-module (gcrypt pk-crypto)
   #:use-module (ssh session)
   #:use-module (ssh auth)
   #:use-module (ssh key)
@@ -40,6 +41,7 @@
             remote-daemon-channel
             connect-to-remote-daemon
             remote-system
+            remote-authorize-signing-key
             send-files
             retrieve-files
             retrieve-files*
@@ -300,6 +302,27 @@ the machine on the other end of SESSION."
   (inferior-remote-eval '(begin (use-modules (guix utils)) (%current-syste=
m))
                         session))
=20
+(define (remote-authorize-signing-key key session)
+  "Send KEY, a canonical sexp containing a public key, over SESSION and ad=
d it
+to the system ACL file if it has not yet been authorized."
+  (inferior-remote-eval
+   `(begin
+      (use-modules (guix build utils)
+                   (guix pki)
+                   (guix utils)
+                   (gcrypt pk-crypto)
+                   (srfi srfi-26))
+
+      (define acl (current-acl))
+      (define key (string->canonical-sexp ,(canonical-sexp->string key)))
+
+      (unless (authorized-key? key)
+        (let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
+          (mkdir-p (dirname %acl-file))
+          (with-atomic-file-output %acl-file
+            (cut write-acl acl <>)))))
+   session))
+
 (define* (send-files local files remote
                      #:key
                      recursive?
=2D-=20
2.22.0


--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEa1VJLOiXAjQ2BGSm9Qb9Fp2P2VoFAl1NleAACgkQ9Qb9Fp2P
2Vq3Yw/+PtbtOBDpQUVXkd6NHYJufLBVVOVM3A8OuG99SLIbn1vPOs2WVOeIOdN2
ZdmX3N9EgQQ/+hhhrDQyqwfqU8CaJlRzaNy0LNtiaKPqjr7As1orMgFDChiOKcpQ
BYJVz0QsJlgIFxsLWF18NTBy22U1ISrLBt1eicu5KumoEYYi7J5NaB/Dk4YMs6yn
eCTVo1/msuNKxyNhYVgDjDCXDQtl+y25P4sJ6r10ytg4l4M4uLrZDwmykmcS2ymx
+KxNkqPxBMLPIeBU10s4rJPzqGxxYHZrUxtTBL63rIodyqCZw5oGX07vanaYBBad
ZToSCimhgs2/SX4PFYG0tcFv8PnA5rUweaVDX9uh/u3px3mqKh1RC/0m4M6M9f1t
59JLgRC2Hkwnqe4ApCpgU73BN56u/tGMsByCcDe0DkoN40PulY+rb6PuVuxuIXwy
wIkFMNC71+s1hePF4zw5j2m9fXLWUn5KI3YTWDW6N54GmKyWr8f0NlM362EPuAGM
TMbgcSet7YrZwR9uukMLXDqxZDOQFrMktJizbjAGnMu+VYLollLH+DI8UGrelupp
lVuTsUvVARIHZzs5Y1cdJ37S0FnRMFzFazj2TmSDpvQa+r5GDCf7MEfKGNUsChoQ
CfHna1988pwGIT661xr82DADaOREhs+e9abARROHbgFrlrZ61Nw=
=W/25
-----END PGP SIGNATURE-----
--=-=-=--