[DOCUMENTATION] the suggested key import method for `guix refresh` doesn't work

  • Open
  • quality assurance status badge
Details
2 participants
  • Attila Lendvai
  • Ludovic Courtès
Owner
unassigned
Submitted by
Attila Lendvai
Severity
normal
A
A
Attila Lendvai wrote on 3 Jul 16:48 +0200
(name . bug-guix@gnu.org)(address . bug-guix@gnu.org)
_TcKcHLWR_gyyLDawENHrF2MiM71SNqvUuZrAMgUSnTZU_COPcAvJG2xT0eTt-uNZoEoD_OKqRnSSCEy_MIUId_LSGIZD_VSc_HVJ8YUdnE=@lendvai.name
context:
--------

i was trying to:

$ ./pre-inst-env guix refresh --update dropbear

but the key is not imported, because "no user ID". apparently some keyservers drop the user id for privacy reasons.


the problem:
------------

then i went to the manual, and it suggests:

$ gpg --export rms@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx

and i ran:

$ gpg --export F7347EF2EE2E07A267628CA944931494F29C6773 | kbxutil --import-openpgp >>~/.config/guix/upstream/trustedkeys.kbx

it ran without errors, but when i tried to guix refresh it failed with:

gpgv: [don't know]: invalid packet (ctb=00)

i double checked, and made sure the trustedkeys.kbx was empty prior to running the above.


analysis:
---------

i ran the following after guix refresh has successfully imported the key:

$ gpg --export F7347EF2EE2E07A267628CA944931494F29C6773 | kbxutil --import-openpgp >x
$ file x
x: data
$ file ~/.config/guix/upstream/trustedkeys.kbx
/home/user/.config/guix/upstream/trustedkeys.kbx: OpenPGP Public Key Version 4, Created Mon Jun 29 12:53:01 2015, RSA (Encrypt or Sign, 4096 bits)
$ ll x
-rw-r--r-- 1 user users 1883 Jul 3 16:41 x
$ ll ~/.config/guix/upstream/trustedkeys.kbx
-rw-r--r-- 1 user users 1208 Jul 3 16:18 /home/user/.config/guix/upstream/trustedkeys.kbx

i.e. what the manual suggests results in a different file format than what guix refresh creates/expects.


workaround:
-----------

in the end i cleared the trustedkeys.kbx file, and i used another keyserver that doesn't strip the ID:

./pre-inst-env guix refresh --key-server="hkps://keyserver.ubuntu.com" --update dropbear

--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“Good people don’t need laws to tell them to act responsibly, and bad people will find a way around the laws.”
— Plato (c. 427–347 BC)
L
L
Ludovic Courtès wrote on 24 Jul 23:44 +0200
(name . Attila Lendvai)(address . attila@lendvai.name)(address . 71918@debbugs.gnu.org)
871q3ifot9.fsf@gnu.org
Hi,

Attila Lendvai <attila@lendvai.name> skribis:

Toggle quote (6 lines)
> i was trying to:
>
> $ ./pre-inst-env guix refresh --update dropbear
>
> but the key is not imported, because "no user ID". apparently some keyservers drop the user id for privacy reasons.

Yes, that’s the case of keys.openpgp.org, unless the user explicitly
consented to publishing user ID packets:


Toggle quote (4 lines)
> then i went to the manual, and it suggests:
>
> $ gpg --export rms@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx

[...]

Toggle quote (2 lines)
> i.e. what the manual suggests results in a different file format than what guix refresh creates/expects.

Ouch. (I’m pretty sure I tested it back then, maybe something changed?)

Since that part is not so useful anyway, how about dropping the now
incorrect bit about kbxutil, like so:
Toggle diff (20 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 9ba96af459..7323931bad 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15050,14 +15050,7 @@ Invoking guix refresh
missing keys are downloaded to this keyring as well (see
@option{--key-download} below).
-You can export keys from your default GPG keyring into a keybox file using
-commands like this one:
-
-@example
-gpg --export rms@@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx
-@end example
-
-Likewise, you can fetch keys to a specific keybox file like this:
+You can fetch keys to a specific keybox file like this:
@example
gpg --no-default-keyring --keyring mykeyring.kbx \
?

Thanks,
Ludo’.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 71918@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 71918
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch