upstream: 'download-tarball' gracefully handles missing signatures.

This avoids a backtrace with "guix refresh -u rdiff-backup", which has ".asc" signatures instead of ".sig". * guix/upstream.scm (download-tarball): Gracefully handle the case where SIG is false. * guix/gnu-maintenance.scm (latest-savannah-release): Add comment about 'file->signature'.
author: Ludovic Courtès <ludo@gnu.org> 2020-07-21 12:30:24 +0200
committer: Ludovic Courtès <ludo@gnu.org> 2020-07-21 17:50:44 +0200
commit: fa3d9c4db4407cebf9bdb2e251595bd25193c95e (patch)
tree: fcaeacde4af3e34bdb6d25694979b07d2818972c /guix
parent: ad5cb62d4afab2b4a808121fe81c5b8db053d7fe (diff)
2 files changed, 11 insertions, 1 deletions
diff --git a/guix/gnu-maintenance.scm b/guix/gnu-maintenance.scm
index 2a4d94dbb0..cd7109002b 100644
--- a/guix/gnu-maintenance.scm
+++ b/guix/gnu-maintenance.scm
@@ -650,6 +650,9 @@ releases are on gnu.org."
          (directory (dirname (uri-path uri)))
          (rewrite   (url-prefix-rewrite %savannah-base
                                         "mirror://savannah")))
+    ;; Note: We use the default 'file->signature', which adds ".sig", but not
+    ;; all projects on Savannah follow that convention: some use ".asc" and
+    ;; perhaps some lack signatures altogether.
     (and=> (latest-html-release package
                                 #:base-url %savannah-base
                                 #:directory directory)
diff --git a/guix/upstream.scm b/guix/upstream.scm
index 6a57bad710..70cbfb45e8 100644
--- a/guix/upstream.scm
+++ b/guix/upstream.scm
@@ -326,10 +326,17 @@ values: 'interactive' (default), 'always', and 'never'."
                                (built-derivations (list drv))
                                (return (derivation->output-path drv))))))))
           (let-values (((status data)
-                        (gnupg-verify* sig data #:key-download key-download)))
+                        (if sig
+                            (gnupg-verify* sig data
+                                           #:key-download key-download)
+                            (values 'missing-signature data))))
             (match status
               ('valid-signature
                tarball)
+              ('missing-signature
+               (warning (G_ "failed to download detached signature from ~a~%")
+                        signature-url)
+               #f)
               ('invalid-signature
                (warning (G_ "signature verification failed for '~a' (key: ~a)~%")
                         url data)
author	Ludovic Courtès <ludo@gnu.org>	2020-07-21 12:30:24 +0200
committer	Ludovic Courtès <ludo@gnu.org>	2020-07-21 17:50:44 +0200
commit	fa3d9c4db4407cebf9bdb2e251595bd25193c95e (patch)
tree	fcaeacde4af3e34bdb6d25694979b07d2818972c /guix
parent	ad5cb62d4afab2b4a808121fe81c5b8db053d7fe (diff)