bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing

bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing

[elaexuotee--- via Bug reports for GNU Guix]

[-- Attachment #1.1: Type: text/plain, Size: 693 bytes --]


Playing around with the git repo and following along with:

https://guix.gnu.org/manual/en/html_node/Building-from-Git.html#Building-from-Git

make authenticate is erroring out for me:

    $ make authenticate
    ...
    Throw to `srfi-34' with args `(#<condition &message [message: "could not authenticate commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing"] 7f3e2c05eee0>)'.

It looks like the referenced key doesn't exist in the keyservers:

    $ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325
    gpg: keyserver receive failed: No data

Am I flubbing something up? Or is this a legitimate issue?

Cheers,

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing

[Tobias Geerinckx-Rice via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 1237 bytes --]

Ela, Eric,

elaexuotee--- via Bug reports for GNU Guix 写道：
> It looks like the referenced key doesn't exist in the 
> keyservers:
>
>     $ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325
>     gpg: keyserver receive failed: No data
>
> Am I flubbing something up? Or is this a legitimate issue?

It's not you.  ‘make authenticate’ is currently broken for any 
practical purpose.

Eric, I didn't find any previous discussion about this.  Could you 
help us out by publishing this ‘secret’ key somewhere?  :-)

Your key at Savannah[0] is a different one and there's no 
A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325 on keys.openpgp.org, SKS, 
keys.gnupg.net, or pgp.mit.edu.

Kind regards,

T G-R

[0]: curl 
https://savannah.gnu.org/people/viewgpg.php?user_id=93889 | gpg
pub   rsa2048/0x34532F9FAFCA8B8E 2016-05-26 [SC]
      Key fingerprint = 34FF 38BC D151 25A6 E340  A0B5 3453 2F9F 
      AFCA 8B8E
uid                             Eric Bavier 
<bavier@member.fsf.org>
sub   rsa2048/0x5A9C1FD168338676 2016-05-26 [E] [expired: 
2017-05-26]
sub   rsa2048/0x1EBBD204781F962C 2016-05-26 [S] [expired: 
2017-05-26]
sub   rsa4096/0xFD73CAC719D32566 2017-06-13 [S] [expires: 
2021-06-12]

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing

[Eric Bavier]

On 16.04.2020 11:24, Tobias Geerinckx-Rice wrote:
> Ela, Eric,
> 
> elaexuotee--- via Bug reports for GNU Guix 写道：
>> It looks like the referenced key doesn't exist in the keyservers:
>> 
>>     $ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325
>>     gpg: keyserver receive failed: No data
>> 
> Eric, I didn't find any previous discussion about this.  Could you
> help us out by publishing this ‘secret’ key somewhere?  :-)
> 
> Your key at Savannah[0] is a different one and there's no
> A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325 on keys.openpgp.org, SKS,
> keys.gnupg.net, or pgp.mit.edu.

A0C5E352... is a signing subkey.  The key on Savannah, 34FF38BC..., is 
the primary key.  The signature checks out with my primary key.

-- 
`~Eric

bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing

[Tobias Geerinckx-Rice via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 291 bytes --]

Eric,

Eric Bavier 写道：
> A0C5E352... is a signing subkey.  The key on Savannah, 
> 34FF38BC..., is
> the primary key.  The signature checks out with my primary key.

Unbelievable…  This isolation is rotting my brain.  >_<

Thank you, and closing.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing

[Tobias Geerinckx-Rice via Bug reports for GNU Guix]

[-- Attachment #1: Type: text/plain, Size: 458 bytes --]

Ela,

Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道：
> It's not you.  ‘make authenticate’ is currently broken for any
> practical purpose.

To make it pass for now:

$ curl 
"https://savannah.gnu.org/people/viewgpg.php?user_id=147297" \
"https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1" 
|
gpg --import --{no-default-,}keyring 
~/.config/guix/keyrings/channels/guix.kbx

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

bug#40565: [PATCH 0/1] bug#40565: make authenticate fails

[Tobias Geerinckx-Rice via Bug reports for GNU Guix]

So,

This quick & dirty patch fixes ‘make authenticate’ by fetching the
Guix ‘Project Member GPG Keyring’ from Savannah, and an extra key file
for Ivan Petrov who isn't in the member keyring.

I still get stuck on the status below, which looks like it should be
parsed as success but isn't.  That's unrelated to this patch though.

Kind regards,

T G-R

[0]: (((unparsed-line "[GNUPG:] NEWSIG") (unparsed-line "[GNUPG:]
KEYEXPIRED 1561675910") (unparsed-line "[GNUPG:] KEYEXPIRED
1561675910") (unparsed-line "[GNUPG:] KEY_CONSIDERED
F5BC5534C36F0087B39D36EF1C9DC4FEB9DB7C4B 0") (signature-id
"rZTN/jnketKOnK9bnnyNMw+ff0M" "2020-01-17" 1579282240) (unparsed-line
"[GNUPG:] KEYEXPIRED 1561675910") (unparsed-line "[GNUPG:] KEYEXPIRED
1561675910") (unparsed-line "[GNUPG:] KEY_CONSIDERED
F5BC5534C36F0087B39D36EF1C9DC4FEB9DB7C4B 0") (unparsed-line "[GNUPG:]
REVKEYSIG D889B0F018C5493C Tobias Geerinckx-Rice <me@tobias.gr>")
(valid-signature "7E8FAED0094478EF72E64D16D889B0F018C5493C"
"2020-01-17" 1579282240) (unparsed-line "[GNUPG:]
VERIFICATION_COMPLIANCE_MODE 23")))

bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah.

[Tobias Geerinckx-Rice via Bug reports for GNU Guix]

* build-aux/git-authenticate.scm (%project-keyring-uris)
(import-keyring-uri, import-project-keys): New variables.
(authenticate-commits): Import known project keys before authenticating.
* guix/gnupg.scm (ensure-file): New procedure.
(gnupg-receive-keys): Use it.
(gnupg-import): New exported procedure.
---
 build-aux/git-authenticate.scm | 23 +++++++++++++++++++++++
 guix/gnupg.scm                 | 24 ++++++++++++++++++++----
 2 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/build-aux/git-authenticate.scm b/build-aux/git-authenticate.scm
index 37e0c6800c..bd33546b7f 100644
--- a/build-aux/git-authenticate.scm
+++ b/build-aux/git-authenticate.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,6 +24,7 @@
 (use-modules (git)
              (guix git)
              (guix gnupg)
+             (guix http-client)
              (guix utils)
              ((guix build utils) #:select (mkdir-p))
              (guix i18n)
@@ -225,6 +227,26 @@
   ;; Commits lacking a signature.
   '())
 
+;; XXX HTTP here is OK but is there any realistic scenario where TLS won't work?
+(define %project-keyring-uris
+  ;; List of ‘project keyring’ URIs containing the %COMMITERS's keys.
+  ;; Signatures not made by any of the %AUTHORIZED-SIGNING-KEYS will still be
+  ;; rejected.  Missing keys will be fetched from the %OPENPGP-KEY-SERVER.
+  (list
+   "https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1"
+
+   ;; Additional keys not in the Guix keyring nor on %OPENPGP-KEY-SERVER.
+   "https://savannah.gnu.org/people/viewgpg.php?user_id=147297")) ; ipetkov
+
+(define* (import-keyring-uri uri)
+  (let* ((port (http-fetch uri))
+         (keyring (get-bytevector-all port)))
+    (close-port port)
+    (gnupg-import keyring)))
+
+(define (import-project-keys)
+  (for-each import-keyring-uri %project-keyring-uris))
+
 (define-syntax-rule (with-temporary-files file1 file2 exp ...)
   (call-with-temporary-output-file
    (lambda (file1 port1)
@@ -303,6 +325,7 @@ key: ~a")
 each of them.  Return an alist showing the number of occurrences of each key."
   (parameterize ((current-keyring (string-append (config-directory)
                                                  "/keyrings/channels/guix.kbx")))
+    (import-project-keys)
     (fold (lambda (commit stats)
             (report-progress)
             (let ((signer (authenticate-commit repository commit)))
diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index bf0283f8fe..f407dfcab4 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -18,6 +19,7 @@
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (guix gnupg)
+  #:use-module (ice-9 binary-ports)
   #:use-module (ice-9 popen)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
@@ -30,6 +32,7 @@
   #:export (%gpg-command
             %openpgp-key-server
             current-keyring
+            gnupg-import
             gnupg-verify
             gnupg-verify*
             gnupg-status-good-signature?
@@ -173,18 +176,31 @@ missing key or its key id if the fingerprint is unavailable."
            (_ #f)))
        status))
 
+(define* (ensure-file file)
+  "Create a new empty FILE if none with that name exists."
+  (unless (file-exists? file)
+    (mkdir-p (dirname file))
+    (call-with-output-file file (const #t))))
+
 (define* (gnupg-receive-keys fingerprint/key-id server
                              #:optional (keyring (current-keyring)))
   "Download FINGERPRINT/KEY-ID from SERVER, a key server, and add it to
 KEYRING."
-  (unless (file-exists? keyring)
-    (mkdir-p (dirname keyring))
-    (call-with-output-file keyring (const #t)))   ;create an empty keybox
-
+  (ensure-file keyring)
   (zero? (system* (%gpg-command) "--keyserver" server
                   "--no-default-keyring" "--keyring" keyring
                   "--recv-keys" fingerprint/key-id)))
 
+(define* (gnupg-import keys
+                       #:optional (keyring (current-keyring)))
+  "Add all KEYS in a bytevector produced by ‘gpg --export’ to KEYRING."
+  (ensure-file keyring)
+  (let ((pipe (open-pipe* OPEN_WRITE
+                          (%gpg-command) "--import" "--batch" "--quiet"
+                          "--no-default-keyring" "--keyring" keyring)))
+    (put-bytevector pipe keys)
+    (close-port pipe)))
+
 (define* (gnupg-verify* sig file
                         #:key
                         (key-download 'interactive)
-- 
2.25.2

bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah.

[Ludovic Courtès]

Hi Tobias,

Tobias Geerinckx-Rice <me@tobias.gr> skribis:

> * build-aux/git-authenticate.scm (%project-keyring-uris)
> (import-keyring-uri, import-project-keys): New variables.
> (authenticate-commits): Import known project keys before authenticating.
> * guix/gnupg.scm (ensure-file): New procedure.
> (gnupg-receive-keys): Use it.
> (gnupg-import): New exported procedure.

The patch LGTM but it doesn’t apply for some reason.  Could you take a
look?

> +;; XXX HTTP here is OK but is there any realistic scenario where TLS won't work?
> +(define %project-keyring-uris

I’m not sure what the XXX comment means.  We’re fetching over HTTPS
anyway, right?

> +(define* (import-keyring-uri uri)
> +  (let* ((port (http-fetch uri))
> +         (keyring (get-bytevector-all port)))
> +    (close-port port)
> +    (gnupg-import keyring)))

IWBN if ‘gnupg-import’ could take an input port instead of a bytevector.

It’d be great if you could add docstrings for top-level procedures.

> +(define* (gnupg-import keys
> +                       #:optional (keyring (current-keyring)))
> +  "Add all KEYS in a bytevector produced by ‘gpg --export’ to KEYRING."
> +  (ensure-file keyring)
> +  (let ((pipe (open-pipe* OPEN_WRITE
> +                          (%gpg-command) "--import" "--batch" "--quiet"
> +                          "--no-default-keyring" "--keyring" keyring)))
> +    (put-bytevector pipe keys)
> +    (close-port pipe)))

So what about changing ‘keys’ to ‘port’, and then you would:

  (dump-port port pipe)

?

Thanks for addressing this!

Ludo’.

bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah.

[Ludovic Courtès]

Hi again Tobias,

Ludovic Courtès <ludo@gnu.org> skribis:

> Tobias Geerinckx-Rice <me@tobias.gr> skribis:
>
>> * build-aux/git-authenticate.scm (%project-keyring-uris)
>> (import-keyring-uri, import-project-keys): New variables.
>> (authenticate-commits): Import known project keys before authenticating.
>> * guix/gnupg.scm (ensure-file): New procedure.
>> (gnupg-receive-keys): Use it.
>> (gnupg-import): New exported procedure.
>
> The patch LGTM but it doesn’t apply for some reason.  Could you take a
> look?

With commit 041dc3a9c0694ada41b86115b9774a23c9d50f73, this change
becomes unnecessary (see <https://issues.guix.gnu.org/issue/22883#64>
about the ‘keyring’ branch.)

Closing!

Ludo’.