Message ID | 20211114025150.27630-1-maxim.cournoyer@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [bug#51822] gnupg: Honor GnuPG's configuration for the key server. | expand |
Context | Check | Description |
---|---|---|
cbaines/comparison | success | View comparision |
cbaines/git branch | success | View Git branch |
cbaines/applying patch | success | View Laminar job |
cbaines/issue | success | View issue |
Hi Maxim,
On Sun, 14 Nov 2021 at 04:00, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote:
> The previous default "pool.sks-keyservers.net" doesn't seem to work anymore;
Does this mean some "guix time-machine" could be broken?
Cheers,
simon
Hi Simon, zimoun <zimon.toutoune@gmail.com> writes: > Hi Maxim, > > On Sun, 14 Nov 2021 at 04:00, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: > >> The previous default "pool.sks-keyservers.net" doesn't seem to work anymore; > > Does this mean some "guix time-machine" could be broken? I don't think so, else I fail to see the relationship. Thanks, Maxim
Hi Maxim, On Thu, 18 Nov 2021 at 14:01, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: > zimoun <zimon.toutoune@gmail.com> writes: > > On Sun, 14 Nov 2021 at 04:00, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: > > > >> The previous default "pool.sks-keyservers.net" doesn't seem to work anymore; > > > > Does this mean some "guix time-machine" could be broken? > > I don't think so, else I fail to see the relationship. If a server was used for doing something by Guix at version A, then this server is now down, is the something still now doable using this old version A of Guix? Where this old version A is reachable by "guix time-machine". Maybe it does not make sense and it is not relevant. Cheers, simon
Hi Simon, zimoun <zimon.toutoune@gmail.com> writes: > Hi Maxim, > > On Thu, 18 Nov 2021 at 14:01, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: >> zimoun <zimon.toutoune@gmail.com> writes: >> > On Sun, 14 Nov 2021 at 04:00, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: >> > >> >> The previous default "pool.sks-keyservers.net" doesn't seem to work anymore; >> > >> > Does this mean some "guix time-machine" could be broken? >> >> I don't think so, else I fail to see the relationship. > > If a server was used for doing something by Guix at version A, then > this server is now down, is the something still now doable using this > old version A of Guix? Where this old version A is reachable by "guix > time-machine". > > Maybe it does not make sense and it is not relevant. The default server that was hard-coded in Guix (or in GnuPG) in the past would still not work *now*, even using an older Guix commit :-). So I do not think it is relevant. Thanks, Maxim
Re, On Thu, 18 Nov 2021 at 15:21, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: > > If a server was used for doing something by Guix at version A, then > > this server is now down, is the something still now doable using this > > old version A of Guix? Where this old version A is reachable by "guix > > time-machine". > > > > Maybe it does not make sense and it is not relevant. > > The default server that was hard-coded in Guix (or in GnuPG) in the past > would still not work *now*, even using an older Guix commit :-). Yeah, for sure. My question is: because this server is not working *now* and hard-coded on previous version, is "guix time-machine" still working for all the subcommands? Or is it broken as collateral damage of server down + hard coded? :-) Cheers, simon
Hi, zimoun <zimon.toutoune@gmail.com> writes: > Re, > > On Thu, 18 Nov 2021 at 15:21, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: > >> > If a server was used for doing something by Guix at version A, then >> > this server is now down, is the something still now doable using this >> > old version A of Guix? Where this old version A is reachable by "guix >> > time-machine". >> > >> > Maybe it does not make sense and it is not relevant. >> >> The default server that was hard-coded in Guix (or in GnuPG) in the past >> would still not work *now*, even using an older Guix commit :-). > > Yeah, for sure. My question is: because this server is not working > *now* and hard-coded on previous version, is "guix time-machine" still > working for all the subcommands? Or is it broken as collateral damage > of server down + hard coded? :-) guix time-machine is not broken as a whole, but the 'guix refresh --update' commands that makes use of the (guix gnupg) module would for sure in whichever commit of Guix, unless pool.sks-keyservers.net is revived. As a workaround, the --key-server option can be set to hkp://keyserver.ubuntu.com (what became the default in recent GnuPG releases). Thanks, Maxim
Re, On Thu, 18 Nov 2021 at 16:57, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: > guix time-machine is not broken as a whole, but the 'guix refresh > --update' commands that makes use of the (guix gnupg) module would for > sure in whichever commit of Guix, unless pool.sks-keyservers.net is > revived. As a workaround, the --key-server option can be set to > hkp://keyserver.ubuntu.com (what became the default in recent GnuPG > releases). Thanks for explaining. Perfect if there is a (almost) straightforward workaround. :-) LGTM! Cheers, simon
Hello, zimoun <zimon.toutoune@gmail.com> writes: > Re, > > On Thu, 18 Nov 2021 at 16:57, Maxim Cournoyer <maxim.cournoyer@gmail.com> wrote: > >> guix time-machine is not broken as a whole, but the 'guix refresh >> --update' commands that makes use of the (guix gnupg) module would for >> sure in whichever commit of Guix, unless pool.sks-keyservers.net is >> revived. As a workaround, the --key-server option can be set to >> hkp://keyserver.ubuntu.com (what became the default in recent GnuPG >> releases). > > Thanks for explaining. Perfect if there is a (almost) straightforward > workaround. :-) > > LGTM! Alright, thanks for the review! Submitted as 4c91332cce. Thanks, Closing. Maxim
diff --git a/guix/gnupg.scm b/guix/gnupg.scm index 5fae24b325..2ec77c6a71 100644 --- a/guix/gnupg.scm +++ b/guix/gnupg.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org> ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> +;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -56,9 +57,9 @@ (define current-keyring "/gpg/trustedkeys.kbx"))) (define %openpgp-key-server - ;; The default key server. Note that keys.gnupg.net appears to be - ;; unreliable. - (make-parameter "pool.sks-keyservers.net")) + ;; The default key server. It defaults to #f, which causes GnuPG to use the + ;; one it is configured with. + (make-parameter #f)) ;; Regexps for status lines. See file `doc/DETAILS' in GnuPG. @@ -182,22 +183,26 @@ (define (gnupg-status-missing-key? status) (_ #f))) status)) -(define* (gnupg-receive-keys fingerprint/key-id server - #:optional (keyring (current-keyring))) - "Download FINGERPRINT/KEY-ID from SERVER, a key server, and add it to -KEYRING." +(define* (gnupg-receive-keys fingerprint/key-id + #:key server (keyring (current-keyring))) + "Download FINGERPRINT/KEY-ID from SERVER if specified, otherwise from +GnuPG's default/configure on. The key is added to KEYRING." (unless (file-exists? keyring) (mkdir-p (dirname keyring)) - (call-with-output-file keyring (const #t))) ;create an empty keybox + (call-with-output-file keyring (const #t))) ;create an empty keybox - (zero? (system* (%gpg-command) "--keyserver" server - "--no-default-keyring" "--keyring" keyring - "--recv-keys" fingerprint/key-id))) + (zero? (apply system* + `(,(%gpg-command) + ,@(if server + (list "--keyserver" server) + '()) + "--no-default-keyring" "--keyring" ,keyring + "--recv-keys" ,fingerprint/key-id)))) (define* (gnupg-verify* sig file #:key (key-download 'interactive) - (server (%openpgp-key-server)) + server (keyring (current-keyring))) "Like `gnupg-verify', but try downloading the public key if it's missing. Return two values: 'valid-signature and a fingerprint/name pair upon success, @@ -215,7 +220,7 @@ (define* (gnupg-verify* sig file (let ((missing (gnupg-status-missing-key? status))) (define (download-and-try-again) ;; Download the missing key and try again. - (if (gnupg-receive-keys missing server keyring) + (if (gnupg-receive-keys missing #:server server #:keyring keyring) (match (gnupg-status-good-signature? (gnupg-verify sig file keyring)) (#f