mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
services: guix: Generate key pair if needed during activation.
* gnu/services/base.scm (guix-activation): Invoke "guix archive --generate-key". * doc/guix.texi (Invoking guix archive) (Invoking guix deploy): Mention that 'guix-service-type' takes care of generating the key pair.
This commit is contained in:
parent
8ac318068b
commit
d367a7f3d0
2 changed files with 16 additions and 8 deletions
|
@ -4600,9 +4600,11 @@ the store.
|
|||
@item --generate-key[=@var{parameters}]
|
||||
@cindex signing, archives
|
||||
Generate a new key pair for the daemon. This is a prerequisite before
|
||||
archives can be exported with @option{--export}. Note that this
|
||||
operation usually takes time, because it needs to gather enough entropy
|
||||
to generate the key pair.
|
||||
archives can be exported with @option{--export}. This
|
||||
operation is usually instantaneous but it can take time if the system's
|
||||
entropy pool needs to be refilled. On Guix System,
|
||||
@code{guix-service-type} takes care of generating this key pair the
|
||||
first boot.
|
||||
|
||||
The generated key pair is typically stored under @file{/etc/guix}, in
|
||||
@file{signing-key.pub} (public key) and @file{signing-key.sec} (private
|
||||
|
@ -29684,7 +29686,8 @@ a Virtual Private Server (VPS) provider. In such a case, a different
|
|||
|
||||
Do note that you first need to generate a key pair on the coordinator machine
|
||||
to allow the daemon to export signed archives of files from the store
|
||||
(@pxref{Invoking guix archive}).
|
||||
(@pxref{Invoking guix archive}), though this step is automatic on Guix
|
||||
System:
|
||||
|
||||
@example
|
||||
# guix archive --generate-key
|
||||
|
|
|
@ -1653,10 +1653,15 @@ (define (guix-activation config)
|
|||
;; otherwise call 'chown' here, but the problem is that on a COW overlayfs,
|
||||
;; chown leads to an entire copy of the tree, which is a bad idea.
|
||||
|
||||
;; Optionally authorize substitute server keys.
|
||||
(if authorize-key?
|
||||
;; Generate a key pair and optionally authorize substitute server keys.
|
||||
#~(begin
|
||||
(unless (file-exists? "/etc/guix/signing-key.pub")
|
||||
(system* #$(file-append guix "/bin/guix") "archive"
|
||||
"--generate-key"))
|
||||
|
||||
#$(if authorize-key?
|
||||
(substitute-key-authorization keys guix)
|
||||
#~#f))))
|
||||
#~#f)))))
|
||||
|
||||
(define* (references-file item #:optional (name "references"))
|
||||
"Return a file that contains the list of references of ITEM."
|
||||
|
|
Loading…
Reference in a new issue