gnupg: Accept revoked keys.

I (nckx) have revoked all RSA subkeys, in favour of my older and freshly-refreshed ECDSA ones. This was merely a precaution: to my knowledge all my RSA private keys have been carefully destroyed and were never compromised. This commit keeps ‘make authenticate’ happy. * guix/gnupg.scm (revkeysig-rx): New variable for revoked keys. (gnupg-verify): Parse it. (gnupg-status-good-signature?): Accept it as ‘good’ for our purposes. * build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2020-04-17 23:25:17 +02:00 · 2020-04-17 23:25:17 +02:00 · aa78c596c9
parent 5a8ef3c127
commit aa78c596c9
2 changed files with 14 additions and 4 deletions
--- a/build-aux/git-authenticate.scm
+++ b/build-aux/git-authenticate.scm
@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@ -147,11 +148,11 @@
    ("mthl"
     "F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37")
    ("nckx"
-     ;; primary: "F5BC 5534 C36F 0087 B39D  36EF 1C9D C4FE B9DB 7C4B"
-     "7E8F AED0 0944 78EF 72E6  4D16 D889 B0F0 18C5 493C")
-    ("nckx (2nd)"
     ;; primary: "F5BC 5534 C36F 0087 B39D  36EF 1C9D C4FE B9DB 7C4B"
     "F5DA 2032 4B87 3D0B 7A38  7672 0DB0 FF88 4F55 6D79")
+    ("nckx (revoked; not compromised)"
+     ;; primary: "F5BC 5534 C36F 0087 B39D  36EF 1C9D C4FE B9DB 7C4B"
+     "7E8F AED0 0944 78EF 72E6  4D16 D889 B0F0 18C5 493C")
    ("niedzejkob"
     "E576 BFB2 CF6E B13D F571  33B9 E315 A758 4613 1564")
    ("ngz"
--- a/guix/gnupg.scm
+++ b/guix/gnupg.scm
@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@ -71,6 +72,8 @@
   "^\\[GNUPG:\\] VALIDSIG ([[:xdigit:]]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+) .*$"))
 (define expkeysig-rx                    ; good signature, but expired key
  (make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$"))
+(define revkeysig-rx                    ; good signature, but revoked key
+  (make-regexp "^\\[GNUPG:\\] REVKEYSIG ([[:xdigit:]]+) (.*)$"))
 (define errsig-rx
  ;; Note: The fingeprint part (the last element of the line) appeared in
  ;; GnuPG 2.2.7 according to 'doc/DETAILS', and it may be missing.
@ -114,6 +117,11 @@ revoked.  Return a status s-exp if GnuPG failed."
           (lambda (match)
             `(expired-key-signature ,(match:substring match 1) ; fingerprint
                                     ,(match:substring match 2)))) ; user name
+          ((regexp-exec revkeysig-rx line)
+           =>
+           (lambda (match)
+             `(revoked-key-signature ,(match:substring match 1) ; fingerprint
+                                     ,(match:substring match 2)))) ; user name
          ((regexp-exec errsig-rx line)
           =>
           (lambda (match)
@ -157,7 +165,8 @@ a fingerprint/user pair; return #f otherwise."
  (match (assq 'valid-signature status)
    (('valid-signature fingerprint date timestamp)
     (match (or (assq 'good-signature status)
-                (assq 'expired-key-signature status))
+                (assq 'expired-key-signature status)
+                (assq 'revoked-key-signature status))
       ((_ key-id user) (cons fingerprint user))
       (_ #f)))
    (_