services: guix: Generate key pair if needed during activation.

* gnu/services/base.scm (guix-activation): Invoke "guix archive
--generate-key".
* doc/guix.texi (Invoking guix archive)
(Invoking guix deploy): Mention that 'guix-service-type' takes care of
generating the key pair.
This commit is contained in:
Ludovic Courtès 2020-09-27 14:55:32 +02:00
parent 8ac318068b
commit d367a7f3d0
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
2 changed files with 16 additions and 8 deletions

View file

@ -4600,9 +4600,11 @@ the store.
@item --generate-key[=@var{parameters}] @item --generate-key[=@var{parameters}]
@cindex signing, archives @cindex signing, archives
Generate a new key pair for the daemon. This is a prerequisite before Generate a new key pair for the daemon. This is a prerequisite before
archives can be exported with @option{--export}. Note that this archives can be exported with @option{--export}. This
operation usually takes time, because it needs to gather enough entropy operation is usually instantaneous but it can take time if the system's
to generate the key pair. entropy pool needs to be refilled. On Guix System,
@code{guix-service-type} takes care of generating this key pair the
first boot.
The generated key pair is typically stored under @file{/etc/guix}, in The generated key pair is typically stored under @file{/etc/guix}, in
@file{signing-key.pub} (public key) and @file{signing-key.sec} (private @file{signing-key.pub} (public key) and @file{signing-key.sec} (private
@ -29684,7 +29686,8 @@ a Virtual Private Server (VPS) provider. In such a case, a different
Do note that you first need to generate a key pair on the coordinator machine Do note that you first need to generate a key pair on the coordinator machine
to allow the daemon to export signed archives of files from the store to allow the daemon to export signed archives of files from the store
(@pxref{Invoking guix archive}). (@pxref{Invoking guix archive}), though this step is automatic on Guix
System:
@example @example
# guix archive --generate-key # guix archive --generate-key

View file

@ -1653,10 +1653,15 @@ (define (guix-activation config)
;; otherwise call 'chown' here, but the problem is that on a COW overlayfs, ;; otherwise call 'chown' here, but the problem is that on a COW overlayfs,
;; chown leads to an entire copy of the tree, which is a bad idea. ;; chown leads to an entire copy of the tree, which is a bad idea.
;; Optionally authorize substitute server keys. ;; Generate a key pair and optionally authorize substitute server keys.
(if authorize-key? #~(begin
(substitute-key-authorization keys guix) (unless (file-exists? "/etc/guix/signing-key.pub")
#~#f)))) (system* #$(file-append guix "/bin/guix") "archive"
"--generate-key"))
#$(if authorize-key?
(substitute-key-authorization keys guix)
#~#f)))))
(define* (references-file item #:optional (name "references")) (define* (references-file item #:optional (name "references"))
"Return a file that contains the list of references of ITEM." "Return a file that contains the list of references of ITEM."