[PATCH] gnupg: Accept revoked keys.

DoneSubmitted by Tobias Geerinckx-Rice.
Details
2 participants
  • Ludovic Courtès
  • Tobias Geerinckx-Rice
Owner
unassigned
Severity
normal
T
T
Tobias Geerinckx-Rice wrote on 17 Apr 23:25 +0200
(address . guix-patches@gnu.org)
20200417212517.22922-1-me@tobias.gr
I (nckx) have revoked all RSA subkeys, in favour of my older andfreshly-refreshed ECDSA ones. This was merely a precaution: to myknowledge all my RSA private keys have been carefully destroyed andwere never compromised. This commit keeps ‘make authenticate’ happy.
* guix/gnupg.scm (revkeysig-rx): New variable for revoked keys.(gnupg-verify): Parse it.(gnupg-status-good-signature?): Accept it as ‘good’ for our purposes.* build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys.--- build-aux/git-authenticate.scm | 7 ++++--- guix/gnupg.scm | 11 ++++++++++- 2 files changed, 14 insertions(+), 4 deletions(-)
Toggle diff (71 lines)diff --git a/build-aux/git-authenticate.scm b/build-aux/git-authenticate.scmindex 37e0c6800c..bb48dddc59 100644--- a/build-aux/git-authenticate.scm+++ b/build-aux/git-authenticate.scm@@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; ;;; This file is part of GNU Guix. ;;;@@ -147,11 +148,11 @@ ("mthl" "F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37") ("nckx"- ;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"- "7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C")- ("nckx (2nd)" ;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B" "F5DA 2032 4B87 3D0B 7A38 7672 0DB0 FF88 4F55 6D79")+ ("nckx (revoked; not compromised)"+ ;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"+ "7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C") ("niedzejkob" "E576 BFB2 CF6E B13D F571 33B9 E315 A758 4613 1564") ("ngz"diff --git a/guix/gnupg.scm b/guix/gnupg.scmindex bf0283f8fe..5fae24b325 100644--- a/guix/gnupg.scm+++ b/guix/gnupg.scm@@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; ;;; This file is part of GNU Guix. ;;;@@ -71,6 +72,8 @@ "^\\[GNUPG:\\] VALIDSIG ([[:xdigit:]]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+) .*$")) (define expkeysig-rx ; good signature, but expired key (make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$"))+(define revkeysig-rx ; good signature, but revoked key+ (make-regexp "^\\[GNUPG:\\] REVKEYSIG ([[:xdigit:]]+) (.*)$")) (define errsig-rx ;; Note: The fingeprint part (the last element of the line) appeared in ;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing.@@ -114,6 +117,11 @@ revoked. Return a status s-exp if GnuPG failed." (lambda (match) `(expired-key-signature ,(match:substring match 1) ; fingerprint ,(match:substring match 2)))) ; user name+ ((regexp-exec revkeysig-rx line)+ =>+ (lambda (match)+ `(revoked-key-signature ,(match:substring match 1) ; fingerprint+ ,(match:substring match 2)))) ; user name ((regexp-exec errsig-rx line) => (lambda (match)@@ -157,7 +165,8 @@ a fingerprint/user pair; return #f otherwise." (match (assq 'valid-signature status) (('valid-signature fingerprint date timestamp) (match (or (assq 'good-signature status)- (assq 'expired-key-signature status))+ (assq 'expired-key-signature status)+ (assq 'revoked-key-signature status)) ((_ key-id user) (cons fingerprint user)) (_ #f))) (_-- 2.25.2
L
L
Ludovic Courtès wrote on 17 Apr 23:35 +0200
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 40689-done@debbugs.gnu.org)
87k12d94og.fsf@gnu.org
Hi,
Tobias Geerinckx-Rice <me@tobias.gr> skribis:
Toggle quote (10 lines)> I (nckx) have revoked all RSA subkeys, in favour of my older and> freshly-refreshed ECDSA ones. This was merely a precaution: to my> knowledge all my RSA private keys have been carefully destroyed and> were never compromised. This commit keeps ‘make authenticate’ happy.>> * guix/gnupg.scm (revkeysig-rx): New variable for revoked keys.> (gnupg-verify): Parse it.> (gnupg-status-good-signature?): Accept it as ‘good’ for our purposes.> * build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys.
Great. Applied on your behalf, thanks!
Ludo’.
Closed
?