summaryrefslogtreecommitdiff
path: root/guix/gnupg.scm
AgeCommit message (Collapse)Author
2021-11-18gnupg: Honor GnuPG's configuration for the key server.Maxim Cournoyer
The previous default "pool.sks-keyservers.net" doesn't seem to work anymore; besides, users know best. * guix/gnupg.scm (%openpgp-key-server): Default to #f, meaning not provided. (gnupg-receive-keys): Make SERVER and KEYRING keyword arguments. Adjust doc. Provide the '--keyserver' argument only when %openpgp-key-server is not #f. (gnupg-verify*): Do not set a default value for SERVER. Adjust accordingly.
2020-04-17gnupg: Accept revoked keys.Tobias Geerinckx-Rice
I (nckx) have revoked all RSA subkeys, in favour of my older and freshly-refreshed ECDSA ones. This was merely a precaution: to my knowledge all my RSA private keys have been carefully destroyed and were never compromised. This commit keeps ‘make authenticate’ happy. * guix/gnupg.scm (revkeysig-rx): New variable for revoked keys. (gnupg-verify): Parse it. (gnupg-status-good-signature?): Accept it as ‘good’ for our purposes. * build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2019-12-20gnupg: 'gnupg-verify*' returns a status symbol.Ludovic Courtès
This allows callers to distinguish between signature verification failure and missing key. * guix/gnupg.scm (gnupg-receive-keys): Return true on success. (gnupg-verify*): Check return value of 'gnupg-receive-keys'. Return two values, the first one being a symbol. * guix/upstream.scm (download-tarball): Get the two return values of 'gnupg-verify*', and match on the first one. * gnu/packages/bash.scm (download-patches): Check the first return value of 'gnupg-verify*'.
2019-12-19gnupg: Compile regexps only once.Ludovic Courtès
This halves the run time on a large number of subsequent 'gnupg-verify' calls. * guix/gnupg.scm (sigid-rx, goodsig-rx, validsig-rx, expkeysig-rx) (errsig-rx): New variables, lifted from... (gnupg-verify)[status-line->sexp]: ... here.
2019-12-18gnupg: 'gnupg-status-missing-key?' returns a fingerprint when possible.Ludovic Courtès
Until then, 'gnupg-status-missing-key?' would return a key id. Its user, 'gnupg-verify*', would then fetch a key with that ID from key servers, thus possibly the wrong key (due to key ID collisions). If it did fetch the wrong key, the effect would be a signature verification failure down the path--e.g., in "guix refresh -u". * guix/gnupg.scm (gnupg-verify)[maybe-fingerprint]: New procedure. [status-line->sexp](errsig-rx): Add parenthetical expression at the end. Fetch it and add it to the 'signature-error' sexp. (gnupg-status-missing-key?): Match the whole 'signature-error' sexp and return preferably the fingerprint rather than KEY-ID. (gnupg-receive-keys): Rename 'key-id' parameter to 'fingerprint/key-id'.
2019-12-18gnupg: 'gnupg-status-good-signature?' no longer returns a key ID.Ludovic Courtès
Returning a key ID was inconsequential because the only user of 'gnupg-status-good-signature?', (guix upstream) (via 'gnupg-verify*'), would not check the return value as long as it's true. * guix/gnupg.scm (gnupg-status-good-signature?): Return a fingerprint/user pair instead of key-id/user. (gnupg-verify*): Mention it in docstring.
2018-09-25gnupg: Change default keyserver.Ludovic Courtès
* guix/gnupg.scm (%openpgp-key-server): Change default to "pool.sks-keyservers.net".
2018-09-16gnupg: Use 'gpgv' and keybox files; adjust 'guix refresh' accordingly.Ludovic Courtès
* guix/gnupg.scm (%gpgv-command, current-keyring): New variables (gnupg-verify): Add optional 'keyring' parameter. Use 'gpgv' instead of 'gpg' and pass it '--keyring'. (gnupg-receive-keys): Add optional 'keyring' parameter and honor it. (gnupg-verify*): Add #:keyring and honor it. * guix/scripts/refresh.scm (%options, show-help): Add '--keyring'. (guix-refresh): Parameterize CURRENT-KEYRING. * doc/guix.texi (Invoking guix refresh): Document '--keyring' and the keybox format.
2017-05-03ui: Rename '_' to 'G_'.Ludovic Courtès
This avoids collisions with '_' when the latter is used as a 'match' pattern for instance. See <https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00464.html>. * guix/ui.scm: Rename '_' to 'G_'. * po/guix/Makevars (XGETTEXT_OPTIONS): Adjust accordingly. * build-aux/compile-all.scm (warnings): Remove 'format'. * gnu/packages.scm, gnu/services.scm, gnu/services/shepherd.scm, gnu/system.scm, gnu/system/shadow.scm, guix/gnupg.scm, guix/http-client.scm, guix/import/cpan.scm, guix/import/elpa.scm, guix/import/pypi.scm, guix/nar.scm, guix/scripts.scm, guix/scripts/archive.scm, guix/scripts/authenticate.scm, guix/scripts/build.scm, guix/scripts/challenge.scm, guix/scripts/container.scm, guix/scripts/container/exec.scm, guix/scripts/copy.scm, guix/scripts/download.scm, guix/scripts/edit.scm, guix/scripts/environment.scm, guix/scripts/gc.scm, guix/scripts/graph.scm, guix/scripts/hash.scm, guix/scripts/import.scm, guix/scripts/import/cpan.scm, guix/scripts/import/cran.scm, guix/scripts/import/crate.scm, guix/scripts/import/elpa.scm, guix/scripts/import/gem.scm, guix/scripts/import/gnu.scm, guix/scripts/import/hackage.scm, guix/scripts/import/nix.scm, guix/scripts/import/pypi.scm, guix/scripts/import/stackage.scm, guix/scripts/lint.scm, guix/scripts/offload.scm, guix/scripts/pack.scm, guix/scripts/package.scm, guix/scripts/perform-download.scm, guix/scripts/publish.scm, guix/scripts/pull.scm, guix/scripts/refresh.scm, guix/scripts/size.scm, guix/scripts/substitute.scm, guix/scripts/system.scm, guix/ssh.scm, guix/upstream.scm: Use 'G_' instead of '_'. Most of this change was obtained by running: "sed -i -e's/(_ "/(G_ "/g' `find -name \*.scm`".
2016-09-06gnupg: Honor $GUIX_GPG_COMMAND and default to 'gpg'.Ludovic Courtès
* guix/gnupg.scm (%gpg-command): Change to "gpg" or $GUIX_GPG_COMMAND.
2014-09-24gnupg: Correctly parse current 'SIG_ID' lines.Ludovic Courtès
* guix/gnupg.scm (gnupg-verify)[sigid-rx]: Adjust to handle current signature ID encoding.
2013-06-10guix refresh: Add '--key-download'.Nikita Karetnikov
* guix/gnu-maintenance.scm (download-tarball): Add a 'key-download' keyword argument and pass it to 'gnupg-verify*'. Make 'archive-type' a keyword argument. (package-update): Add a 'key-download' keyword argument. Pass 'archive-type' and 'key-download' keyword arguments to 'download-tarball'. * guix/gnupg.scm: Import (ice-9 i18n) and (guix ui). (gnupg-verify*): Add a 'key-download' keyword argument and adjust 'gnupg-verify*' to use it. Make 'server' a keyword argument. * guix/scripts/refresh.scm (show-help, %options): Add and document '--key-download'. (update-package): Add a 'key-download' keyword argument and pass it to 'package-update'. (guix-refresh): Pass 'key-download' to 'update-package'. Limit lines to a maximum of 79 characters.
2013-05-11gnupg: Turn the GPG command name and keyserver into parameters.Ludovic Courtès
* guix/gnupg.scm (%gpg-command): Turn into a SRFI-39 parameter. (%openpgp-key-server): Likewise. Default to pgp.mit.edu, as keys.gnupg.net is unreliable. Update users.
2013-04-25Add `guix refresh' and related auto-update tools.Ludovic Courtès
* guix/gnu-maintenance.scm (ftp-server/directory)[quirks]: Add glib. (package-update-path, download-tarball, package-update, update-package-source): New procedures. * guix/gnupg.scm, guix/scripts/refresh.scm: New files. * Makefile.am (MODULES): Add them. * guix/utils.scm (file-extension): New procedure.