summary refs log tree commit diff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2019-12-18 17:37:02 +0100
committerLudovic Courtès <ludo@gnu.org>2019-12-18 23:48:12 +0100
commit217b4a1587e8b9af6526915a10e648f58234ebf0 (patch)
tree942e6f50ddc270f7cc539c50197a16115c7575eb
parent9cfa322579e1be0adf0e2e1c489d336a4e5eedf7 (diff)
downloadguix-217b4a1587e8b9af6526915a10e648f58234ebf0.tar.gz
gnupg: 'gnupg-status-missing-key?' returns a fingerprint when possible.
Until then, 'gnupg-status-missing-key?' would return a key id.  Its
user, 'gnupg-verify*', would then fetch a key with that ID from key
servers, thus possibly the wrong key (due to key ID collisions).  If it
did fetch the wrong key, the effect would be a signature verification
failure down the path--e.g., in "guix refresh -u".

* guix/gnupg.scm (gnupg-verify)[maybe-fingerprint]: New procedure.
[status-line->sexp](errsig-rx): Add parenthetical expression at the end.
Fetch it and add it to the 'signature-error' sexp.
(gnupg-status-missing-key?): Match the whole 'signature-error' sexp and
return preferably the fingerprint rather than KEY-ID.
(gnupg-receive-keys): Rename 'key-id' parameter to 'fingerprint/key-id'.
-rw-r--r--guix/gnupg.scm27
1 files changed, 18 insertions, 9 deletions
diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index bf01c7fe0b..5b11aa93fa 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -65,6 +65,11 @@
 KEYRING as assumed to be \"trusted\", whether or not they expired or were
 revoked.  Return a status s-exp if GnuPG failed."
 
+  (define (maybe-fingerprint str)
+    (match (string-trim-both str)
+      ((or "-" "") #f)
+      (fpr         fpr)))
+
   (define (status-line->sexp line)
     ;; See file `doc/DETAILS' in GnuPG.
     (define sigid-rx
@@ -78,8 +83,10 @@ revoked.  Return a status s-exp if GnuPG failed."
     (define expkeysig-rx                    ; good signature, but expired key
       (make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$"))
     (define errsig-rx
+      ;; Note: The fingeprint part (the last element of the line) appeared in
+      ;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing.
       (make-regexp
-       "^\\[GNUPG:\\] ERRSIG ([[:xdigit:]]+) ([^ ]+) ([^ ]+) ([^ ]+) ([[:digit:]]+) ([[:digit:]]+)"))
+       "^\\[GNUPG:\\] ERRSIG ([[:xdigit:]]+) ([^ ]+) ([^ ]+) ([^ ]+) ([[:digit:]]+) ([[:digit:]]+)(.*)"))
 
     (cond ((regexp-exec sigid-rx line)
            =>
@@ -108,7 +115,7 @@ revoked.  Return a status s-exp if GnuPG failed."
           ((regexp-exec errsig-rx line)
            =>
            (lambda (match)
-             `(signature-error ,(match:substring match 1) ; key id or fingerprint
+             `(signature-error ,(match:substring match 1) ; key id
                                ,(match:substring match 2) ; pubkey algo
                                ,(match:substring match 3) ; hash algo
                                ,(match:substring match 4) ; sig class
@@ -120,7 +127,9 @@ revoked.  Return a status s-exp if GnuPG failed."
                                   (case rc
                                     ((9) 'missing-key)
                                     ((4) 'unknown-algorithm)
-                                    (else rc))))))
+                                    (else rc)))
+                               ,(maybe-fingerprint ; fingerprint or #f
+                                 (match:substring match 7)))))
           (else
            `(unparsed-line ,line))))
 
@@ -153,16 +162,16 @@ a fingerprint/user pair; return #f otherwise."
      #f)))
 
 (define (gnupg-status-missing-key? status)
-  "If STATUS denotes a missing-key error, then return the key-id of the
-missing key."
+  "If STATUS denotes a missing-key error, then return the fingerprint of the
+missing key or its key id if the fingerprint is unavailable."
   (any (lambda (sexp)
          (match sexp
-           (('signature-error key-id _ ...)
-            key-id)
+           (('signature-error key-id _ ... 'missing-key fingerprint)
+            (or fingerprint key-id))
            (_ #f)))
        status))
 
-(define* (gnupg-receive-keys key-id server
+(define* (gnupg-receive-keys fingerprint/key-id server
                              #:optional (keyring (current-keyring)))
   (unless (file-exists? keyring)
     (mkdir-p (dirname keyring))
@@ -170,7 +179,7 @@ missing key."
 
   (system* (%gpg-command) "--keyserver" server
            "--no-default-keyring" "--keyring" keyring
-           "--recv-keys" key-id))
+           "--recv-keys" fingerprint/key-id))
 
 (define* (gnupg-verify* sig file
                         #:key