* bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing @ 2020-04-12 2:55 elaexuotee--- via Bug reports for GNU Guix 2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-17 20:20 ` bug#40565: [PATCH 0/1] bug#40565: make authenticate fails Tobias Geerinckx-Rice via Bug reports for GNU Guix 0 siblings, 2 replies; 9+ messages in thread From: elaexuotee--- via Bug reports for GNU Guix @ 2020-04-12 2:55 UTC (permalink / raw) To: 40565 [-- Attachment #1.1: Type: text/plain, Size: 693 bytes --] Playing around with the git repo and following along with: https://guix.gnu.org/manual/en/html_node/Building-from-Git.html#Building-from-Git make authenticate is erroring out for me: $ make authenticate ... Throw to `srfi-34' with args `(#<condition &message [message: "could not authenticate commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing"] 7f3e2c05eee0>)'. It looks like the referenced key doesn't exist in the keyservers: $ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325 gpg: keyserver receive failed: No data Am I flubbing something up? Or is this a legitimate issue? Cheers, [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 260 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing 2020-04-12 2:55 bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing elaexuotee--- via Bug reports for GNU Guix @ 2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-17 1:52 ` Eric Bavier 2020-04-17 17:39 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-17 20:20 ` bug#40565: [PATCH 0/1] bug#40565: make authenticate fails Tobias Geerinckx-Rice via Bug reports for GNU Guix 1 sibling, 2 replies; 9+ messages in thread From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-16 16:24 UTC (permalink / raw) To: 40565; +Cc: Eric Bavier [-- Attachment #1: Type: text/plain, Size: 1237 bytes --] Ela, Eric, elaexuotee--- via Bug reports for GNU Guix 写道: > It looks like the referenced key doesn't exist in the > keyservers: > > $ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325 > gpg: keyserver receive failed: No data > > Am I flubbing something up? Or is this a legitimate issue? It's not you. ‘make authenticate’ is currently broken for any practical purpose. Eric, I didn't find any previous discussion about this. Could you help us out by publishing this ‘secret’ key somewhere? :-) Your key at Savannah[0] is a different one and there's no A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325 on keys.openpgp.org, SKS, keys.gnupg.net, or pgp.mit.edu. Kind regards, T G-R [0]: curl https://savannah.gnu.org/people/viewgpg.php?user_id=93889 | gpg pub rsa2048/0x34532F9FAFCA8B8E 2016-05-26 [SC] Key fingerprint = 34FF 38BC D151 25A6 E340 A0B5 3453 2F9F AFCA 8B8E uid Eric Bavier <bavier@member.fsf.org> sub rsa2048/0x5A9C1FD168338676 2016-05-26 [E] [expired: 2017-05-26] sub rsa2048/0x1EBBD204781F962C 2016-05-26 [S] [expired: 2017-05-26] sub rsa4096/0xFD73CAC719D32566 2017-06-13 [S] [expires: 2021-06-12] [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing 2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-17 1:52 ` Eric Bavier 2020-04-17 11:15 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-17 17:39 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 1 sibling, 1 reply; 9+ messages in thread From: Eric Bavier @ 2020-04-17 1:52 UTC (permalink / raw) To: Tobias Geerinckx-Rice; +Cc: 40565 On 16.04.2020 11:24, Tobias Geerinckx-Rice wrote: > Ela, Eric, > > elaexuotee--- via Bug reports for GNU Guix 写道: >> It looks like the referenced key doesn't exist in the keyservers: >> >> $ gpg --recv-keys A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325 >> gpg: keyserver receive failed: No data >> > Eric, I didn't find any previous discussion about this. Could you > help us out by publishing this ‘secret’ key somewhere? :-) > > Your key at Savannah[0] is a different one and there's no > A0C5E3522EF8EF5C64CDB7F0FD73CAC719D325 on keys.openpgp.org, SKS, > keys.gnupg.net, or pgp.mit.edu. A0C5E352... is a signing subkey. The key on Savannah, 34FF38BC..., is the primary key. The signature checks out with my primary key. -- `~Eric ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing 2020-04-17 1:52 ` Eric Bavier @ 2020-04-17 11:15 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 0 siblings, 0 replies; 9+ messages in thread From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-17 11:15 UTC (permalink / raw) To: 40565-done [-- Attachment #1: Type: text/plain, Size: 291 bytes --] Eric, Eric Bavier 写道: > A0C5E352... is a signing subkey. The key on Savannah, > 34FF38BC..., is > the primary key. The signature checks out with my primary key. Unbelievable… This isolation is rotting my brain. >_< Thank you, and closing. Kind regards, T G-R [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing 2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-17 1:52 ` Eric Bavier @ 2020-04-17 17:39 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 1 sibling, 0 replies; 9+ messages in thread From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-17 17:39 UTC (permalink / raw) To: 40565 [-- Attachment #1: Type: text/plain, Size: 458 bytes --] Ela, Tobias Geerinckx-Rice via Bug reports for GNU Guix 写道: > It's not you. ‘make authenticate’ is currently broken for any > practical purpose. To make it pass for now: $ curl "https://savannah.gnu.org/people/viewgpg.php?user_id=147297" \ "https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1" | gpg --import --{no-default-,}keyring ~/.config/guix/keyrings/channels/guix.kbx Kind regards, T G-R [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: [PATCH 0/1] bug#40565: make authenticate fails 2020-04-12 2:55 bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing elaexuotee--- via Bug reports for GNU Guix 2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-17 20:20 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-17 20:20 ` bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah Tobias Geerinckx-Rice via Bug reports for GNU Guix 1 sibling, 1 reply; 9+ messages in thread From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-17 20:20 UTC (permalink / raw) To: 40565 So, This quick & dirty patch fixes ‘make authenticate’ by fetching the Guix ‘Project Member GPG Keyring’ from Savannah, and an extra key file for Ivan Petrov who isn't in the member keyring. I still get stuck on the status below, which looks like it should be parsed as success but isn't. That's unrelated to this patch though. Kind regards, T G-R [0]: (((unparsed-line "[GNUPG:] NEWSIG") (unparsed-line "[GNUPG:] KEYEXPIRED 1561675910") (unparsed-line "[GNUPG:] KEYEXPIRED 1561675910") (unparsed-line "[GNUPG:] KEY_CONSIDERED F5BC5534C36F0087B39D36EF1C9DC4FEB9DB7C4B 0") (signature-id "rZTN/jnketKOnK9bnnyNMw+ff0M" "2020-01-17" 1579282240) (unparsed-line "[GNUPG:] KEYEXPIRED 1561675910") (unparsed-line "[GNUPG:] KEYEXPIRED 1561675910") (unparsed-line "[GNUPG:] KEY_CONSIDERED F5BC5534C36F0087B39D36EF1C9DC4FEB9DB7C4B 0") (unparsed-line "[GNUPG:] REVKEYSIG D889B0F018C5493C Tobias Geerinckx-Rice <me@tobias.gr>") (valid-signature "7E8FAED0094478EF72E64D16D889B0F018C5493C" "2020-01-17" 1579282240) (unparsed-line "[GNUPG:] VERIFICATION_COMPLIANCE_MODE 23"))) ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah. 2020-04-17 20:20 ` bug#40565: [PATCH 0/1] bug#40565: make authenticate fails Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-17 20:20 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-19 11:15 ` Ludovic Courtès 0 siblings, 1 reply; 9+ messages in thread From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-17 20:20 UTC (permalink / raw) To: 40565 * build-aux/git-authenticate.scm (%project-keyring-uris) (import-keyring-uri, import-project-keys): New variables. (authenticate-commits): Import known project keys before authenticating. * guix/gnupg.scm (ensure-file): New procedure. (gnupg-receive-keys): Use it. (gnupg-import): New exported procedure. --- build-aux/git-authenticate.scm | 23 +++++++++++++++++++++++ guix/gnupg.scm | 24 ++++++++++++++++++++---- 2 files changed, 43 insertions(+), 4 deletions(-) diff --git a/build-aux/git-authenticate.scm b/build-aux/git-authenticate.scm index 37e0c6800c..bd33546b7f 100644 --- a/build-aux/git-authenticate.scm +++ b/build-aux/git-authenticate.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; ;;; This file is part of GNU Guix. ;;; @@ -23,6 +24,7 @@ (use-modules (git) (guix git) (guix gnupg) + (guix http-client) (guix utils) ((guix build utils) #:select (mkdir-p)) (guix i18n) @@ -225,6 +227,26 @@ ;; Commits lacking a signature. '()) +;; XXX HTTP here is OK but is there any realistic scenario where TLS won't work? +(define %project-keyring-uris + ;; List of ‘project keyring’ URIs containing the %COMMITERS's keys. + ;; Signatures not made by any of the %AUTHORIZED-SIGNING-KEYS will still be + ;; rejected. Missing keys will be fetched from the %OPENPGP-KEY-SERVER. + (list + "https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1" + + ;; Additional keys not in the Guix keyring nor on %OPENPGP-KEY-SERVER. + "https://savannah.gnu.org/people/viewgpg.php?user_id=147297")) ; ipetkov + +(define* (import-keyring-uri uri) + (let* ((port (http-fetch uri)) + (keyring (get-bytevector-all port))) + (close-port port) + (gnupg-import keyring))) + +(define (import-project-keys) + (for-each import-keyring-uri %project-keyring-uris)) + (define-syntax-rule (with-temporary-files file1 file2 exp ...) (call-with-temporary-output-file (lambda (file1 port1) @@ -303,6 +325,7 @@ key: ~a") each of them. Return an alist showing the number of occurrences of each key." (parameterize ((current-keyring (string-append (config-directory) "/keyrings/channels/guix.kbx"))) + (import-project-keys) (fold (lambda (commit stats) (report-progress) (let ((signer (authenticate-commit repository commit))) diff --git a/guix/gnupg.scm b/guix/gnupg.scm index bf0283f8fe..f407dfcab4 100644 --- a/guix/gnupg.scm +++ b/guix/gnupg.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org> +;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; ;;; This file is part of GNU Guix. ;;; @@ -18,6 +19,7 @@ ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. (define-module (guix gnupg) + #:use-module (ice-9 binary-ports) #:use-module (ice-9 popen) #:use-module (ice-9 match) #:use-module (ice-9 regex) @@ -30,6 +32,7 @@ #:export (%gpg-command %openpgp-key-server current-keyring + gnupg-import gnupg-verify gnupg-verify* gnupg-status-good-signature? @@ -173,18 +176,31 @@ missing key or its key id if the fingerprint is unavailable." (_ #f))) status)) +(define* (ensure-file file) + "Create a new empty FILE if none with that name exists." + (unless (file-exists? file) + (mkdir-p (dirname file)) + (call-with-output-file file (const #t)))) + (define* (gnupg-receive-keys fingerprint/key-id server #:optional (keyring (current-keyring))) "Download FINGERPRINT/KEY-ID from SERVER, a key server, and add it to KEYRING." - (unless (file-exists? keyring) - (mkdir-p (dirname keyring)) - (call-with-output-file keyring (const #t))) ;create an empty keybox - + (ensure-file keyring) (zero? (system* (%gpg-command) "--keyserver" server "--no-default-keyring" "--keyring" keyring "--recv-keys" fingerprint/key-id))) +(define* (gnupg-import keys + #:optional (keyring (current-keyring))) + "Add all KEYS in a bytevector produced by ‘gpg --export’ to KEYRING." + (ensure-file keyring) + (let ((pipe (open-pipe* OPEN_WRITE + (%gpg-command) "--import" "--batch" "--quiet" + "--no-default-keyring" "--keyring" keyring))) + (put-bytevector pipe keys) + (close-port pipe))) + (define* (gnupg-verify* sig file #:key (key-download 'interactive) -- 2.25.2 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah. 2020-04-17 20:20 ` bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2020-04-19 11:15 ` Ludovic Courtès 2020-05-04 9:02 ` Ludovic Courtès 0 siblings, 1 reply; 9+ messages in thread From: Ludovic Courtès @ 2020-04-19 11:15 UTC (permalink / raw) To: Tobias Geerinckx-Rice; +Cc: 40565 Hi Tobias, Tobias Geerinckx-Rice <me@tobias.gr> skribis: > * build-aux/git-authenticate.scm (%project-keyring-uris) > (import-keyring-uri, import-project-keys): New variables. > (authenticate-commits): Import known project keys before authenticating. > * guix/gnupg.scm (ensure-file): New procedure. > (gnupg-receive-keys): Use it. > (gnupg-import): New exported procedure. The patch LGTM but it doesn’t apply for some reason. Could you take a look? > +;; XXX HTTP here is OK but is there any realistic scenario where TLS won't work? > +(define %project-keyring-uris I’m not sure what the XXX comment means. We’re fetching over HTTPS anyway, right? > +(define* (import-keyring-uri uri) > + (let* ((port (http-fetch uri)) > + (keyring (get-bytevector-all port))) > + (close-port port) > + (gnupg-import keyring))) IWBN if ‘gnupg-import’ could take an input port instead of a bytevector. It’d be great if you could add docstrings for top-level procedures. > +(define* (gnupg-import keys > + #:optional (keyring (current-keyring))) > + "Add all KEYS in a bytevector produced by ‘gpg --export’ to KEYRING." > + (ensure-file keyring) > + (let ((pipe (open-pipe* OPEN_WRITE > + (%gpg-command) "--import" "--batch" "--quiet" > + "--no-default-keyring" "--keyring" keyring))) > + (put-bytevector pipe keys) > + (close-port pipe))) So what about changing ‘keys’ to ‘port’, and then you would: (dump-port port pipe) ? Thanks for addressing this! Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah. 2020-04-19 11:15 ` Ludovic Courtès @ 2020-05-04 9:02 ` Ludovic Courtès 0 siblings, 0 replies; 9+ messages in thread From: Ludovic Courtès @ 2020-05-04 9:02 UTC (permalink / raw) To: Tobias Geerinckx-Rice; +Cc: 40565-done Hi again Tobias, Ludovic Courtès <ludo@gnu.org> skribis: > Tobias Geerinckx-Rice <me@tobias.gr> skribis: > >> * build-aux/git-authenticate.scm (%project-keyring-uris) >> (import-keyring-uri, import-project-keys): New variables. >> (authenticate-commits): Import known project keys before authenticating. >> * guix/gnupg.scm (ensure-file): New procedure. >> (gnupg-receive-keys): Use it. >> (gnupg-import): New exported procedure. > > The patch LGTM but it doesn’t apply for some reason. Could you take a > look? With commit 041dc3a9c0694ada41b86115b9774a23c9d50f73, this change becomes unnecessary (see <https://issues.guix.gnu.org/issue/22883#64> about the ‘keyring’ branch.) Closing! Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-05-04 9:03 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-04-12 2:55 bug#40565: make authenticate fails: commit 77704cb13e5bebf412297dab764a00849a3cfdc0: key A0C5E3522EF8EF5C64CDB7F0FD73CAC719D32566 is missing elaexuotee--- via Bug reports for GNU Guix 2020-04-16 16:24 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-17 1:52 ` Eric Bavier 2020-04-17 11:15 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-17 17:39 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-17 20:20 ` bug#40565: [PATCH 0/1] bug#40565: make authenticate fails Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-17 20:20 ` bug#40565: [PATCH 1/1] git-authenticate: Fetch keyrings from Savannah Tobias Geerinckx-Rice via Bug reports for GNU Guix 2020-04-19 11:15 ` Ludovic Courtès 2020-05-04 9:02 ` Ludovic Courtès
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.