From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 17 17:25:39 2020 Received: (at submit) by debbugs.gnu.org; 17 Apr 2020 21:25:39 +0000 Received: from localhost ([127.0.0.1]:41820 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jPYUV-0000qL-97 for submit@debbugs.gnu.org; Fri, 17 Apr 2020 17:25:39 -0400 Received: from lists.gnu.org ([209.51.188.17]:38868) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jPYUT-0000qD-7L for submit@debbugs.gnu.org; Fri, 17 Apr 2020 17:25:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58104) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jPYUR-0004LQ-LH for guix-patches@gnu.org; Fri, 17 Apr 2020 17:25:37 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jPYUQ-0007k1-5b for guix-patches@gnu.org; Fri, 17 Apr 2020 17:25:35 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:60408) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jPYUP-0007YI-Ju for guix-patches@gnu.org; Fri, 17 Apr 2020 17:25:34 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id 2802d4a1 for ; Fri, 17 Apr 2020 21:25:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to :subject:date:message-id:mime-version:content-type :content-transfer-encoding; s=2018; i=me@tobias.gr; bh=pQEuvwoRg qid3pgi+SzLeuRXpB9XOjc+lXVkUiLU2D8=; b=Z/zx5v9uya8THIw7ROlpPK7jD n/WSk7IOhfNnFxGjEUxykimD/bB1kwF3dUaNcuYKcHl7xJ1Ds5JEN6iRlWL54yon k6ZwsvJEclfCZH101FAyAvSwnXzWAhTLdRrZK89vwbPrfF+W/ZRQnvyBqFMndsEs n199qu0qzkN3xumeX/QzgiKmPq4fCBaXhVVVEqrK/iv+iWX+vlZ5apNoERwTd47b tYFo6lIh1cljGcAoQ6dADJGATHrDN0+1/vXoCOm9sT5LO+lP/5NkTtj1dq0dDp3Z 6ATNT+bPfFBylMVCLNi8DjF5bAOyKAlYvOh3ScAJZOkS9/jvdhdmCb+FixYGg== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 1d142c5a (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for ; Fri, 17 Apr 2020 21:25:27 +0000 (UTC) From: Tobias Geerinckx-Rice To: guix-patches@gnu.org Subject: [PATCH] gnupg: Accept revoked keys. Date: Fri, 17 Apr 2020 23:25:17 +0200 Message-Id: <20200417212517.22922-1-me@tobias.gr> X-Mailer: git-send-email 2.25.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a02:c205:2020:6054::1 X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) I (nckx) have revoked all RSA subkeys, in favour of my older and freshly-refreshed ECDSA ones. This was merely a precaution: to my knowledge all my RSA private keys have been carefully destroyed and were never compromised. This commit keeps ‘make authenticate’ happy. * guix/gnupg.scm (revkeysig-rx): New variable for revoked keys. (gnupg-verify): Parse it. (gnupg-status-good-signature?): Accept it as ‘good’ for our purposes. * build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys. --- build-aux/git-authenticate.scm | 7 ++++--- guix/gnupg.scm | 11 ++++++++++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/build-aux/git-authenticate.scm b/build-aux/git-authenticate.scm index 37e0c6800c..bb48dddc59 100644 --- a/build-aux/git-authenticate.scm +++ b/build-aux/git-authenticate.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019, 2020 Ludovic Courtès +;;; Copyright © 2020 Tobias Geerinckx-Rice ;;; ;;; This file is part of GNU Guix. ;;; @@ -147,11 +148,11 @@ ("mthl" "F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37") ("nckx" - ;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B" - "7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C") - ("nckx (2nd)" ;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B" "F5DA 2032 4B87 3D0B 7A38 7672 0DB0 FF88 4F55 6D79") + ("nckx (revoked; not compromised)" + ;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B" + "7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C") ("niedzejkob" "E576 BFB2 CF6E B13D F571 33B9 E315 A758 4613 1564") ("ngz" diff --git a/guix/gnupg.scm b/guix/gnupg.scm index bf0283f8fe..5fae24b325 100644 --- a/guix/gnupg.scm +++ b/guix/gnupg.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès ;;; Copyright © 2013 Nikita Karetnikov +;;; Copyright © 2020 Tobias Geerinckx-Rice ;;; ;;; This file is part of GNU Guix. ;;; @@ -71,6 +72,8 @@ "^\\[GNUPG:\\] VALIDSIG ([[:xdigit:]]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+) .*$")) (define expkeysig-rx ; good signature, but expired key (make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$")) +(define revkeysig-rx ; good signature, but revoked key + (make-regexp "^\\[GNUPG:\\] REVKEYSIG ([[:xdigit:]]+) (.*)$")) (define errsig-rx ;; Note: The fingeprint part (the last element of the line) appeared in ;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing. @@ -114,6 +117,11 @@ revoked. Return a status s-exp if GnuPG failed." (lambda (match) `(expired-key-signature ,(match:substring match 1) ; fingerprint ,(match:substring match 2)))) ; user name + ((regexp-exec revkeysig-rx line) + => + (lambda (match) + `(revoked-key-signature ,(match:substring match 1) ; fingerprint + ,(match:substring match 2)))) ; user name ((regexp-exec errsig-rx line) => (lambda (match) @@ -157,7 +165,8 @@ a fingerprint/user pair; return #f otherwise." (match (assq 'valid-signature status) (('valid-signature fingerprint date timestamp) (match (or (assq 'good-signature status) - (assq 'expired-key-signature status)) + (assq 'expired-key-signature status) + (assq 'revoked-key-signature status)) ((_ key-id user) (cons fingerprint user)) (_ #f))) (_ -- 2.25.2