diff options
| author | Tobias Geerinckx-Rice <me@tobias.gr> | 2020-04-17 23:25:17 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2020-04-17 23:36:47 +0200 |
| commit | aa78c596c9eaae946f779d8fa3c4125d08187648 (patch) | |
| tree | d167f0df5519a4b906410eefcbbacd788e98a620 /guix/gnupg.scm | |
| parent | 5a8ef3c127b21251bb1d3aae144a01682179e40d (diff) | |
| download | gnu-guix-aa78c596c9eaae946f779d8fa3c4125d08187648.tar gnu-guix-aa78c596c9eaae946f779d8fa3c4125d08187648.tar.gz | |
gnupg: Accept revoked keys.
I (nckx) have revoked all RSA subkeys, in favour of my older and
freshly-refreshed ECDSA ones. This was merely a precaution: to my
knowledge all my RSA private keys have been carefully destroyed and
were never compromised. This commit keeps ‘make authenticate’ happy.
* guix/gnupg.scm (revkeysig-rx): New variable for revoked keys.
(gnupg-verify): Parse it.
(gnupg-status-good-signature?): Accept it as ‘good’ for our purposes.
* build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'guix/gnupg.scm')
| -rw-r--r-- | guix/gnupg.scm | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/guix/gnupg.scm b/guix/gnupg.scm index bf0283f8fe..5fae24b325 100644 --- a/guix/gnupg.scm +++ b/guix/gnupg.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org> +;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; ;;; This file is part of GNU Guix. ;;; @@ -71,6 +72,8 @@ "^\\[GNUPG:\\] VALIDSIG ([[:xdigit:]]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+) .*$")) (define expkeysig-rx ; good signature, but expired key (make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$")) +(define revkeysig-rx ; good signature, but revoked key + (make-regexp "^\\[GNUPG:\\] REVKEYSIG ([[:xdigit:]]+) (.*)$")) (define errsig-rx ;; Note: The fingeprint part (the last element of the line) appeared in ;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing. @@ -114,6 +117,11 @@ revoked. Return a status s-exp if GnuPG failed." (lambda (match) `(expired-key-signature ,(match:substring match 1) ; fingerprint ,(match:substring match 2)))) ; user name + ((regexp-exec revkeysig-rx line) + => + (lambda (match) + `(revoked-key-signature ,(match:substring match 1) ; fingerprint + ,(match:substring match 2)))) ; user name ((regexp-exec errsig-rx line) => (lambda (match) @@ -157,7 +165,8 @@ a fingerprint/user pair; return #f otherwise." (match (assq 'valid-signature status) (('valid-signature fingerprint date timestamp) (match (or (assq 'good-signature status) - (assq 'expired-key-signature status)) + (assq 'expired-key-signature status) + (assq 'revoked-key-signature status)) ((_ key-id user) (cons fingerprint user)) (_ #f))) (_ |