From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: Re: bug#22883: Authenticating Git checkouts: step #1 Date: Mon, 30 Dec 2019 22:29:35 +0100 Message-ID: <87woad1ozk.fsf@gnu.org> References: <87io14sqoa.fsf@dustycloud.org> <87tvnemfjh.fsf@aikidev.net> <871sab7ull.fsf@gnu.org> <87zhwz6ct4.fsf@aikidev.net> <877ek364u5.fsf@gnu.org> <87mubmodfb.fsf_-_@gnu.org> <87eewqgc1v.fsf@gnu.org> <87o8vto5rl.fsf@elephly.net> <87a77bzw6p.fsf@yucca> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:34963) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1im2bf-0000ox-7u for guix-devel@gnu.org; Mon, 30 Dec 2019 16:29:44 -0500 In-Reply-To: <87a77bzw6p.fsf@yucca> (Vagrant Cascadian's message of "Sat, 28 Dec 2019 18:45:34 -0800") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Vagrant Cascadian Cc: 22883@debbugs.gnu.org, guix-devel@gnu.org Hello! Vagrant Cascadian skribis: > On 2019-12-27, Ricardo Wurmus wrote: [...] >> Thank you for the instructions. I thought I had all keys, but >> apparently at least one of them is missing. =E2=80=9Cmake authenticate= =E2=80=9D fails >> for me with this error: >> >> Throw to key `srfi-34' with args `(#)'. >> >> I previously downloaded the gpg keyring from Savannah: >> >> https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix >> >> Looks like Hartmut used to use a different key, which I don=E2=80=99t ha= ve. > > I got this too, and manually worked around it by downloading > guix-keyring.gpg from: > > https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix&do= wnload=3D1 > > And running: > > gpg --no-default-keyring --keyring ~/.config/guix/keyrings/channels/gui= x.kbx --import ~/guix-keyring.gpg > > It seems to be working now... how is the keyring *supposed* to be > populated? Before I manually imported guix-keyring.gpg into guix.kbx, > there were a very small number of keys present. By default, the script currently automatically downloads keys from keyserver into ~/.config/=E2=80=A6/guix.kbx: see =E2=80=98gnupg-verify*=E2= =80=99 in (guix gnupg). This is unreliable and rather undesirable, so the real solution will be to have the keyring in the repo. > It's a little awkward that it uses the fingerprint of the signing key > rather than the primary key, as by default things like "gpg --list-keys" > do not display the fingerprint of signing keys, only the primary key, so > it is an adventure in gpg commandline options to correlate them. > > "gpg log --show-signature" also reports the the primary key fingerprint, > if the key is available in the keyring, and only the subkey fingerprint > for unknown keys if I remember correctly. Yeah, well. Apparently =E2=80=98gpgv --status-fd=E2=80=99 reports the fing= erprint of the subkey, not that of the primary key, which is why we=E2=80=99re storing= the fingerprint of the subkey. I think it actually makes sense, but I wonder why =E2=80=98gpg=E2=80=99 mak= es it so hard to see the fingerprint of subkeys. > It would be nice if the statistics would display the primary uid > instead, as it is something a little more human readable, and the > primary key fingerprint, as it is a little easier to find. :) Ah, true! > I'm hoping the eventual goal is to integrate this into guix pull? Of course! Ludo=E2=80=99.