Browse Source

upstream: 'download-tarball' gracefully handles missing signatures.

This avoids a backtrace with "guix refresh -u rdiff-backup", which has
".asc" signatures instead of ".sig".

* guix/upstream.scm (download-tarball): Gracefully handle the case where
SIG is false.
* guix/gnu-maintenance.scm (latest-savannah-release): Add comment about
'file->signature'.
gn-latest-20200725
Ludovic Courtès 1 year ago
parent
commit
fa3d9c4db4
No known key found for this signature in database GPG Key ID: 90B11993D9AEBB5
  1. 3
      guix/gnu-maintenance.scm
  2. 9
      guix/upstream.scm

3
guix/gnu-maintenance.scm

@ -650,6 +650,9 @@ releases are on gnu.org."
(directory (dirname (uri-path uri)))
(rewrite (url-prefix-rewrite %savannah-base
"mirror://savannah")))
;; Note: We use the default 'file->signature', which adds ".sig", but not
;; all projects on Savannah follow that convention: some use ".asc" and
;; perhaps some lack signatures altogether.
(and=> (latest-html-release package
#:base-url %savannah-base
#:directory directory)

9
guix/upstream.scm

@ -326,10 +326,17 @@ values: 'interactive' (default), 'always', and 'never'."
(built-derivations (list drv))
(return (derivation->output-path drv))))))))
(let-values (((status data)
(gnupg-verify* sig data #:key-download key-download)))
(if sig
(gnupg-verify* sig data
#:key-download key-download)
(values 'missing-signature data))))
(match status
('valid-signature
tarball)
('missing-signature
(warning (G_ "failed to download detached signature from ~a~%")
signature-url)
#f)
('invalid-signature
(warning (G_ "signature verification failed for '~a' (key: ~a)~%")
url data)

Loading…
Cancel
Save