bug#71918: [DOCUMENTATION] the suggested key import method for `guix refresh` doesn't work

bug#71918: [DOCUMENTATION] the suggested key import method for `guix refresh` doesn't work

[Attila Lendvai]

context:
--------

i was trying to:

$ ./pre-inst-env guix refresh --update dropbear

but the key is not imported, because "no user ID". apparently some keyservers drop the user id for privacy reasons.


the problem:
------------

then i went to the manual, and it suggests:

$ gpg --export rms@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx

and i ran:

$ curl https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc | gpg --import
$ gpg --export F7347EF2EE2E07A267628CA944931494F29C6773 | kbxutil --import-openpgp >>~/.config/guix/upstream/trustedkeys.kbx

it ran without errors, but when i tried to guix refresh it failed with:

gpgv: [don't know]: invalid packet (ctb=00)

i double checked, and made sure the trustedkeys.kbx was empty prior to running the above.


analysis:
---------

i ran the following after guix refresh has successfully imported the key:

$ gpg --export F7347EF2EE2E07A267628CA944931494F29C6773 | kbxutil --import-openpgp >x
$ file x
x: data
$ file ~/.config/guix/upstream/trustedkeys.kbx
/home/user/.config/guix/upstream/trustedkeys.kbx: OpenPGP Public Key Version 4, Created Mon Jun 29 12:53:01 2015, RSA (Encrypt or Sign, 4096 bits)
$ ll x
-rw-r--r-- 1 user users 1883 Jul  3 16:41 x
$ ll ~/.config/guix/upstream/trustedkeys.kbx
-rw-r--r-- 1 user users 1208 Jul  3 16:18 /home/user/.config/guix/upstream/trustedkeys.kbx

i.e. what the manual suggests results in a different file format than what guix refresh creates/expects.


workaround:
-----------

in the end i cleared the trustedkeys.kbx file, and i used another keyserver that doesn't strip the ID:

./pre-inst-env guix refresh --key-server="hkps://keyserver.ubuntu.com" --update dropbear

--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“Good people don’t need laws to tell them to act responsibly, and bad people will find a way around the laws.”
	— Plato (c. 427–347 BC)

bug#71918: [DOCUMENTATION] the suggested key import method for `guix refresh` doesn't work

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 840 bytes --]

Hi,

Attila Lendvai <attila@lendvai.name> skribis:

> i was trying to:
>
> $ ./pre-inst-env guix refresh --update dropbear
>
> but the key is not imported, because "no user ID". apparently some keyservers drop the user id for privacy reasons.

Yes, that’s the case of keys.openpgp.org, unless the user explicitly
consented to publishing user ID packets:

  https://keys.openpgp.org/about

> then i went to the manual, and it suggests:
> 
> $ gpg --export rms@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx

[...]

> i.e. what the manual suggests results in a different file format than what guix refresh creates/expects.

Ouch.  (I’m pretty sure I tested it back then, maybe something changed?)

Since that part is not so useful anyway, how about dropping the now
incorrect bit about kbxutil, like so:


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 647 bytes --]

diff --git a/doc/guix.texi b/doc/guix.texi
index 9ba96af459..7323931bad 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15050,14 +15050,7 @@ Invoking guix refresh
 missing keys are downloaded to this keyring as well (see
 @option{--key-download} below).
 
-You can export keys from your default GPG keyring into a keybox file using
-commands like this one:
-
-@example
-gpg --export rms@@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx
-@end example
-
-Likewise, you can fetch keys to a specific keybox file like this:
+You can fetch keys to a specific keybox file like this:
 
 @example
 gpg --no-default-keyring --keyring mykeyring.kbx \

[-- Attachment #3: Type: text/plain, Size: 26 bytes --]


?

Thanks,
Ludo’.