ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2024-11-07 15:36:20 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

upstream: 'download-tarball' gracefully handles missing signatures.

Browse source 
This avoids a backtrace with "guix refresh -u rdiff-backup", which has
".asc" signatures instead of ".sig".

* guix/upstream.scm (download-tarball): Gracefully handle the case where
SIG is false.
* guix/gnu-maintenance.scm (latest-savannah-release): Add comment about
'file->signature'.
This commit is contained in:
Ludovic Courtès 2020-07-21 12:30:24 +02:00
parent ad5cb62d4a
commit fa3d9c4db4
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
2 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
guix/gnu-maintenance.scm
View file

@ -650,6 +650,9 @@ (define (latest-savannah-release package)
(directory (dirname (uri-path uri)))
(rewrite (url-prefix-rewrite %savannah-base
"mirror://savannah")))
;; Note: We use the default 'file->signature', which adds ".sig", but not
;; all projects on Savannah follow that convention: some use ".asc" and
;; perhaps some lack signatures altogether.
(and=> (latest-html-release package
#:base-url %savannah-base
#:directory directory)

9
guix/upstream.scm
View file

@ -326,10 +326,17 @@ (define* (download-tarball store url signature-url
(built-derivations (list drv))
(return (derivation->output-path drv))))))))
(let-values (((status data)
(gnupg-verify* sig data #:key-download key-download)))
(if sig
(gnupg-verify* sig data
#:key-download key-download)
(values 'missing-signature data))))
(match status
('valid-signature
tarball)
('missing-signature
(warning (G_ "failed to download detached signature from ~a~%")
signature-url)
#f)
('invalid-signature
(warning (G_ "signature verification failed for '~a' (key: ~a)~%")
url data)