bug#51822: closed ([PATCH] gnupg: Honor GnuPG's configuration for the key server.)

[GNU bug Tracking System]

Your message dated Thu, 18 Nov 2021 15:05:43 -0500
with message-id <87ee7dfcvc.fsf@gmail.com>
and subject line Re: [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for 
the key server.
has caused the debbugs.gnu.org bug report #51822,
regarding [PATCH] gnupg: Honor GnuPG's configuration for the key server.
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
51822: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=51822
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems
> --- Begin Message ---
>
>
>
> Subject: 
>
> [PATCH] gnupg: Honor GnuPG's configuration for the key server.
>
>
>
>
> Date: 
>
> Sat, 13 Nov 2021 21:51:50 -0500
>
>
>
>
> The previous default "pool.sks-keyservers.net" doesn't seem to work anymore;
> besides, users know best.
>
> * guix/gnupg.scm (%openpgp-key-server): Default to #f, meaning not provided.
> (gnupg-receive-keys): Make SERVER and KEYRING keyword arguments.  Adjust doc.
> Provide the '--keyserver' argument only when %openpgp-key-server is not #f.
> (gnupg-verify*): Do not set a default value for SERVER.  Adjust accordingly.
> ---
>  guix/gnupg.scm | 31 ++++++++++++++++++-------------
>  1 file changed, 18 insertions(+), 13 deletions(-)
>
> diff --git a/guix/gnupg.scm b/guix/gnupg.scm
> index 5fae24b325..2ec77c6a71 100644
> --- a/guix/gnupg.scm
> +++ b/guix/gnupg.scm
> @@ -2,6 +2,7 @@
>  ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018, 2019 Ludovic Courtès 
> <ludo@gnu.org>
>  ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
>  ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
> +;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -56,9 +57,9 @@ (define current-keyring
>                                   "/gpg/trustedkeys.kbx")))
>  
>  (define %openpgp-key-server
> -  ;; The default key server.  Note that keys.gnupg.net appears to be
> -  ;; unreliable.
> -  (make-parameter "pool.sks-keyservers.net"))
> +  ;; The default key server.  It defaults to #f, which causes GnuPG to use the
> +  ;; one it is configured with.
> +  (make-parameter #f))
>  
>  ;; Regexps for status lines.  See file `doc/DETAILS' in GnuPG.
>  
> @@ -182,22 +183,26 @@ (define (gnupg-status-missing-key? status)
>             (_ #f)))
>         status))
>  
> -(define* (gnupg-receive-keys fingerprint/key-id server
> -                             #:optional (keyring (current-keyring)))
> -  "Download FINGERPRINT/KEY-ID from SERVER, a key server, and add it to
> -KEYRING."
> +(define* (gnupg-receive-keys fingerprint/key-id
> +                             #:key server (keyring (current-keyring)))
> +  "Download FINGERPRINT/KEY-ID from SERVER if specified, otherwise from
> +GnuPG's default/configure on.  The key is added to KEYRING."
>    (unless (file-exists? keyring)
>      (mkdir-p (dirname keyring))
> -    (call-with-output-file keyring (const #t)))   ;create an empty keybox
> +    (call-with-output-file keyring (const #t))) ;create an empty keybox
>  
> -  (zero? (system* (%gpg-command) "--keyserver" server
> -                  "--no-default-keyring" "--keyring" keyring
> -                  "--recv-keys" fingerprint/key-id)))
> +  (zero? (apply system*
> +                `(,(%gpg-command)
> +                  ,@(if server
> +                        (list "--keyserver" server)
> +                        '())
> +                  "--no-default-keyring" "--keyring" ,keyring
> +                  "--recv-keys" ,fingerprint/key-id))))
>  
>  (define* (gnupg-verify* sig file
>                          #:key
>                          (key-download 'interactive)
> -                        (server (%openpgp-key-server))
> +                        server
>                          (keyring (current-keyring)))
>    "Like `gnupg-verify', but try downloading the public key if it's missing.
>  Return two values: 'valid-signature and a fingerprint/name pair upon success,
> @@ -215,7 +220,7 @@ (define* (gnupg-verify* sig file
>         (let ((missing (gnupg-status-missing-key? status)))
>           (define (download-and-try-again)
>             ;; Download the missing key and try again.
> -           (if (gnupg-receive-keys missing server keyring)
> +           (if (gnupg-receive-keys missing #:server server #:keyring keyring)
>                 (match (gnupg-status-good-signature?
>                         (gnupg-verify sig file keyring))
>                   (#f
> -- 
> 2.33.1
>
>
>
>
> --- End Message ---
> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: [bug#51822] [PATCH] gnupg: Honor GnuPG's configuration for the key server.
>
>
>
>
> Date: 
>
> Thu, 18 Nov 2021 15:05:43 -0500
>
>
>
>
> User-agent: 
>
> Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
>
>
>
>
> Hello,
>
> zimoun <zimon.toutoune@gmail.com> writes:
>
> > Re,
> >
> > On Thu, 18 Nov 2021 at 16:57, Maxim Cournoyer <maxim.cournoyer@gmail.com> 
> > wrote:
> >
> >> guix time-machine is not broken as a whole, but the 'guix refresh
> >> --update' commands that makes use of the (guix gnupg) module would for
> >> sure in whichever commit of Guix, unless pool.sks-keyservers.net is
> >> revived.  As a workaround, the --key-server option can be set to
> >> hkp://keyserver.ubuntu.com (what became the default in recent GnuPG
> >> releases).
> >
> > Thanks for explaining.  Perfect if there is a (almost) straightforward
> > workaround. :-)
> >
> > LGTM!
>
> Alright, thanks for the review!  Submitted as 4c91332cce.
>
> Thanks,
>
> Closing.
>
> Maxim
>
>
> --- End Message ---