[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/02: gnupg: 'gnupg-status-missing-key?' returns a fingerprint when pos
|
From: |
guix-commits |
|
Subject: |
02/02: gnupg: 'gnupg-status-missing-key?' returns a fingerprint when possible. |
|
Date: |
Wed, 18 Dec 2019 17:48:55 -0500 (EST) |
civodul pushed a commit to branch master
in repository guix.
commit 217b4a1587e8b9af6526915a10e648f58234ebf0
Author: Ludovic Courtès <address@hidden>
Date: Wed Dec 18 17:37:02 2019 +0100
gnupg: 'gnupg-status-missing-key?' returns a fingerprint when possible.
Until then, 'gnupg-status-missing-key?' would return a key id. Its
user, 'gnupg-verify*', would then fetch a key with that ID from key
servers, thus possibly the wrong key (due to key ID collisions). If it
did fetch the wrong key, the effect would be a signature verification
failure down the path--e.g., in "guix refresh -u".
* guix/gnupg.scm (gnupg-verify)[maybe-fingerprint]: New procedure.
[status-line->sexp](errsig-rx): Add parenthetical expression at the end.
Fetch it and add it to the 'signature-error' sexp.
(gnupg-status-missing-key?): Match the whole 'signature-error' sexp and
return preferably the fingerprint rather than KEY-ID.
(gnupg-receive-keys): Rename 'key-id' parameter to 'fingerprint/key-id'.
---
guix/gnupg.scm | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
diff --git a/guix/gnupg.scm b/guix/gnupg.scm
index bf01c7f..5b11aa9 100644
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@@ -65,6 +65,11 @@
KEYRING as assumed to be \"trusted\", whether or not they expired or were
revoked. Return a status s-exp if GnuPG failed."
+ (define (maybe-fingerprint str)
+ (match (string-trim-both str)
+ ((or "-" "") #f)
+ (fpr fpr)))
+
(define (status-line->sexp line)
;; See file `doc/DETAILS' in GnuPG.
(define sigid-rx
@@ -78,8 +83,10 @@ revoked. Return a status s-exp if GnuPG failed."
(define expkeysig-rx ; good signature, but expired key
(make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$"))
(define errsig-rx
+ ;; Note: The fingeprint part (the last element of the line) appeared in
+ ;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing.
(make-regexp
- "^\\[GNUPG:\\] ERRSIG ([[:xdigit:]]+) ([^ ]+) ([^ ]+) ([^ ]+)
([[:digit:]]+) ([[:digit:]]+)"))
+ "^\\[GNUPG:\\] ERRSIG ([[:xdigit:]]+) ([^ ]+) ([^ ]+) ([^ ]+)
([[:digit:]]+) ([[:digit:]]+)(.*)"))
(cond ((regexp-exec sigid-rx line)
=>
@@ -108,7 +115,7 @@ revoked. Return a status s-exp if GnuPG failed."
((regexp-exec errsig-rx line)
=>
(lambda (match)
- `(signature-error ,(match:substring match 1) ; key id or
fingerprint
+ `(signature-error ,(match:substring match 1) ; key id
,(match:substring match 2) ; pubkey algo
,(match:substring match 3) ; hash algo
,(match:substring match 4) ; sig class
@@ -120,7 +127,9 @@ revoked. Return a status s-exp if GnuPG failed."
(case rc
((9) 'missing-key)
((4) 'unknown-algorithm)
- (else rc))))))
+ (else rc)))
+ ,(maybe-fingerprint ; fingerprint or #f
+ (match:substring match 7)))))
(else
`(unparsed-line ,line))))
@@ -153,16 +162,16 @@ a fingerprint/user pair; return #f otherwise."
#f)))
(define (gnupg-status-missing-key? status)
- "If STATUS denotes a missing-key error, then return the key-id of the
-missing key."
+ "If STATUS denotes a missing-key error, then return the fingerprint of the
+missing key or its key id if the fingerprint is unavailable."
(any (lambda (sexp)
(match sexp
- (('signature-error key-id _ ...)
- key-id)
+ (('signature-error key-id _ ... 'missing-key fingerprint)
+ (or fingerprint key-id))
(_ #f)))
status))
-(define* (gnupg-receive-keys key-id server
+(define* (gnupg-receive-keys fingerprint/key-id server
#:optional (keyring (current-keyring)))
(unless (file-exists? keyring)
(mkdir-p (dirname keyring))
@@ -170,7 +179,7 @@ missing key."
(system* (%gpg-command) "--keyserver" server
"--no-default-keyring" "--keyring" keyring
- "--recv-keys" key-id))
+ "--recv-keys" fingerprint/key-id))
(define* (gnupg-verify* sig file
#:key