Browse Source

gnupg: Accept revoked keys.

I (nckx) have revoked all RSA subkeys, in favour of my older and
freshly-refreshed ECDSA ones.  This was merely a precaution: to my
knowledge all my RSA private keys have been carefully destroyed and
were never compromised.  This commit keeps ‘make authenticate’ happy.

* guix/gnupg.scm (revkeysig-rx): New variable for revoked keys.
(gnupg-verify): Parse it.
(gnupg-status-good-signature?): Accept it as ‘good’ for our purposes.
* build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
gn-latest-20200428
Tobias Geerinckx-Rice 6 months ago
committed by Ludovic Courtès
parent
commit
aa78c596c9
No known key found for this signature in database GPG Key ID: 90B11993D9AEBB5
2 changed files with 14 additions and 4 deletions
  1. +4
    -3
      build-aux/git-authenticate.scm
  2. +10
    -1
      guix/gnupg.scm

+ 4
- 3
build-aux/git-authenticate.scm View File

@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -147,11 +148,11 @@
("mthl"
"F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37")
("nckx"
;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
"7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C")
("nckx (2nd)"
;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
"F5DA 2032 4B87 3D0B 7A38 7672 0DB0 FF88 4F55 6D79")
("nckx (revoked; not compromised)"
;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
"7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C")
("niedzejkob"
"E576 BFB2 CF6E B13D F571 33B9 E315 A758 4613 1564")
("ngz"


+ 10
- 1
guix/gnupg.scm View File

@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -71,6 +72,8 @@
"^\\[GNUPG:\\] VALIDSIG ([[:xdigit:]]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+) .*$"))
(define expkeysig-rx ; good signature, but expired key
(make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$"))
(define revkeysig-rx ; good signature, but revoked key
(make-regexp "^\\[GNUPG:\\] REVKEYSIG ([[:xdigit:]]+) (.*)$"))
(define errsig-rx
;; Note: The fingeprint part (the last element of the line) appeared in
;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing.
@@ -114,6 +117,11 @@ revoked. Return a status s-exp if GnuPG failed."
(lambda (match)
`(expired-key-signature ,(match:substring match 1) ; fingerprint
,(match:substring match 2)))) ; user name
((regexp-exec revkeysig-rx line)
=>
(lambda (match)
`(revoked-key-signature ,(match:substring match 1) ; fingerprint
,(match:substring match 2)))) ; user name
((regexp-exec errsig-rx line)
=>
(lambda (match)
@@ -157,7 +165,8 @@ a fingerprint/user pair; return #f otherwise."
(match (assq 'valid-signature status)
(('valid-signature fingerprint date timestamp)
(match (or (assq 'good-signature status)
(assq 'expired-key-signature status))
(assq 'expired-key-signature status)
(assq 'revoked-key-signature status))
((_ key-id user) (cons fingerprint user))
(_ #f)))
(_


Loading…
Cancel
Save