[bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co.

[Ludovic Courtès]

Hello Guix,

(Cc’ing people with expertise and interest in this…)

This patch changes (guix gnupg) so that it uses keyrings in the “keybox”
file format to store and read upstream public keys (instead of using the
user’s default keyring), and so that it uses ‘gpgv --keyring’ instead
of ‘gpg --verify’.

‘gpgv’ is specifically designed for use cases like software signature
verification against a keyring of “trusted keys” (it’s used by APT and
Werner Koch recommends it¹.)  A significant difference compared to
‘gpg --verify’ is that it doesn’t check whether keys are expired or
revoked; all that matters is whether the signature is valid and whether
the signing key is in the specified keyring.  I think that’s what we
want when checking the signature of a tarball or Git commit.

This patch changes the behavior of ‘guix refresh -u’, which now uses,
by default, the keyring at ~/.config/guix/upstream/trustedkeys.kbx.
That means that if you already have upstream keys in your own keyring,
you’ll probably want to export them to this keyring.

Unfortunately the keybox format and tools are poorly documented, which
is why I gave examples on how to do that in guix.texi.

Feedback welcome!

Thanks,
Ludo’.

¹ https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#58

Ludovic Courtès (1):
  gnupg: Use 'gpgv' and keybox files; adjust 'guix refresh' accordingly.

 doc/guix.texi            | 30 +++++++++++++++++++++
 guix/gnupg.scm           | 58 +++++++++++++++++++++++++++++-----------
 guix/scripts/refresh.scm | 13 +++++++--
 3 files changed, 83 insertions(+), 18 deletions(-)

-- 
2.18.0