services: guix: Generate key pair if needed during activation.

* gnu/services/base.scm (guix-activation): Invoke "guix archive
--generate-key".
* doc/guix.texi (Invoking guix archive)
(Invoking guix deploy): Mention that 'guix-service-type' takes care of
generating the key pair.
This commit is contained in:
Ludovic Courtès 2020-09-27 14:55:32 +02:00
parent 8ac318068b
commit d367a7f3d0
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
2 changed files with 16 additions and 8 deletions

View file

@ -4600,9 +4600,11 @@ the store.
@item --generate-key[=@var{parameters}]
@cindex signing, archives
Generate a new key pair for the daemon. This is a prerequisite before
archives can be exported with @option{--export}. Note that this
operation usually takes time, because it needs to gather enough entropy
to generate the key pair.
archives can be exported with @option{--export}. This
operation is usually instantaneous but it can take time if the system's
entropy pool needs to be refilled. On Guix System,
@code{guix-service-type} takes care of generating this key pair the
first boot.
The generated key pair is typically stored under @file{/etc/guix}, in
@file{signing-key.pub} (public key) and @file{signing-key.sec} (private
@ -29684,7 +29686,8 @@ a Virtual Private Server (VPS) provider. In such a case, a different
Do note that you first need to generate a key pair on the coordinator machine
to allow the daemon to export signed archives of files from the store
(@pxref{Invoking guix archive}).
(@pxref{Invoking guix archive}), though this step is automatic on Guix
System:
@example
# guix archive --generate-key

View file

@ -1653,10 +1653,15 @@ (define (guix-activation config)
;; otherwise call 'chown' here, but the problem is that on a COW overlayfs,
;; chown leads to an entire copy of the tree, which is a bad idea.
;; Optionally authorize substitute server keys.
(if authorize-key?
;; Generate a key pair and optionally authorize substitute server keys.
#~(begin
(unless (file-exists? "/etc/guix/signing-key.pub")
(system* #$(file-append guix "/bin/guix") "archive"
"--generate-key"))
#$(if authorize-key?
(substitute-key-authorization keys guix)
#~#f))))
#~#f)))))
(define* (references-file item #:optional (name "references"))
"Return a file that contains the list of references of ITEM."