gnupg: Accept revoked keys.

I (nckx) have revoked all RSA subkeys, in favour of my older and
freshly-refreshed ECDSA ones.  This was merely a precaution: to my
knowledge all my RSA private keys have been carefully destroyed and
were never compromised.  This commit keeps ‘make authenticate’ happy.

* guix/gnupg.scm (revkeysig-rx): New variable for revoked keys.
(gnupg-verify): Parse it.
(gnupg-status-good-signature?): Accept it as ‘good’ for our purposes.
* build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This commit is contained in:
Tobias Geerinckx-Rice 2020-04-17 23:25:17 +02:00 committed by Ludovic Courtès
parent 5a8ef3c127
commit aa78c596c9
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
2 changed files with 14 additions and 4 deletions

View file

@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -147,11 +148,11 @@ (define %committers
("mthl" ("mthl"
"F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37") "F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37")
("nckx" ("nckx"
;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
"7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C")
("nckx (2nd)"
;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B" ;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
"F5DA 2032 4B87 3D0B 7A38 7672 0DB0 FF88 4F55 6D79") "F5DA 2032 4B87 3D0B 7A38 7672 0DB0 FF88 4F55 6D79")
("nckx (revoked; not compromised)"
;; primary: "F5BC 5534 C36F 0087 B39D 36EF 1C9D C4FE B9DB 7C4B"
"7E8F AED0 0944 78EF 72E6 4D16 D889 B0F0 18C5 493C")
("niedzejkob" ("niedzejkob"
"E576 BFB2 CF6E B13D F571 33B9 E315 A758 4613 1564") "E576 BFB2 CF6E B13D F571 33B9 E315 A758 4613 1564")
("ngz" ("ngz"

View file

@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org> ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -71,6 +72,8 @@ (define validsig-rx
"^\\[GNUPG:\\] VALIDSIG ([[:xdigit:]]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+) .*$")) "^\\[GNUPG:\\] VALIDSIG ([[:xdigit:]]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+) .*$"))
(define expkeysig-rx ; good signature, but expired key (define expkeysig-rx ; good signature, but expired key
(make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$")) (make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$"))
(define revkeysig-rx ; good signature, but revoked key
(make-regexp "^\\[GNUPG:\\] REVKEYSIG ([[:xdigit:]]+) (.*)$"))
(define errsig-rx (define errsig-rx
;; Note: The fingeprint part (the last element of the line) appeared in ;; Note: The fingeprint part (the last element of the line) appeared in
;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing. ;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing.
@ -114,6 +117,11 @@ (define (status-line->sexp line)
(lambda (match) (lambda (match)
`(expired-key-signature ,(match:substring match 1) ; fingerprint `(expired-key-signature ,(match:substring match 1) ; fingerprint
,(match:substring match 2)))) ; user name ,(match:substring match 2)))) ; user name
((regexp-exec revkeysig-rx line)
=>
(lambda (match)
`(revoked-key-signature ,(match:substring match 1) ; fingerprint
,(match:substring match 2)))) ; user name
((regexp-exec errsig-rx line) ((regexp-exec errsig-rx line)
=> =>
(lambda (match) (lambda (match)
@ -157,7 +165,8 @@ (define (gnupg-status-good-signature? status)
(match (assq 'valid-signature status) (match (assq 'valid-signature status)
(('valid-signature fingerprint date timestamp) (('valid-signature fingerprint date timestamp)
(match (or (assq 'good-signature status) (match (or (assq 'good-signature status)
(assq 'expired-key-signature status)) (assq 'expired-key-signature status)
(assq 'revoked-key-signature status))
((_ key-id user) (cons fingerprint user)) ((_ key-id user) (cons fingerprint user))
(_ #f))) (_ #f)))
(_ (_