GNU bug report logs - #36956
[PATCH] machine: Automatically authorize the coordinator's signing key.

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix-patches; Reported by: zerodaysfordays@HIDDEN (Jakob L. Kreuze); Keywords: patch; dated Wed, 7 Aug 2019 12:49:02 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.

Message received at 36956 <at> debbugs.gnu.org:


Received: (at 36956) by debbugs.gnu.org; 15 Aug 2019 05:52:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Aug 15 01:52:55 2019
Received: from localhost ([127.0.0.1]:50437 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hy8gw-0002yr-SV
	for submit <at> debbugs.gnu.org; Thu, 15 Aug 2019 01:52:55 -0400
Received: from sender4-of-o53.zoho.com ([136.143.188.53]:21379)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rekado@HIDDEN>) id 1hy8gr-0002ye-Ke
 for 36956 <at> debbugs.gnu.org; Thu, 15 Aug 2019 01:52:53 -0400
ARC-Seal: i=1; a=rsa-sha256; t=1565848361; cv=none; d=zoho.com; s=zohoarc; 
 b=K+cKem6lY3m5u+rcpvau/woXPxZyqT4JTRUMU2lOOOhEIVAoinx0tcz8gqlnfPgo1GG4455coLgbjT8VG0dmp8Etzd9tLZ0rerjGiBfKid4e7YoMSCEIIS/5QIFygW9I5lDnZkPuTG5bIAsQhhyhnB/ZRB2PQP8jN+tpai7KrYQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
 s=zohoarc; t=1565848361;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To:ARC-Authentication-Results;
 bh=qKg04XMEvOygug0ZIhecYZfiXXUSnhjziPavOXzy3Vs=; 
 b=lG68IBPjRXq/xHGHIjPTuALJzGgfVpOWM0F8qQrT53IBqvw77ULi3MmRWiR2ss8ToZ+2Y87hfAYrAiVCpznIRizsj896nuptrraNjxtdse+BqKDVH/NQBXjLibOz+URBCrIdVN7G564rICOUpHuKzPx+lDI0Bhf7FJl5LlZa7uA=
ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass  header.i=elephly.net;
 spf=pass  smtp.mailfrom=rekado@HIDDEN;
 dmarc=pass header.from=<rekado@HIDDEN> header.from=<rekado@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1565848361; 
 s=zoho; d=elephly.net; i=rekado@HIDDEN;
 h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding;
 l=2051; bh=qKg04XMEvOygug0ZIhecYZfiXXUSnhjziPavOXzy3Vs=;
 b=KNVE++jlxMI2gE9pRI4q34D70HhCuh1g8rbm1SrXafQmJ48LoVUY8jZhExDUM4vU
 Y2okKFq31A/OeqntXuwXfcKiS86608SpOL3a/55mabvMONQ+dO7YWnLwaLs0JmxYjCY
 dtSnuK/ejyRTCUcNudHzfnPU+9qP+S72ljIj1jhw=
Received: from localhost (p4FD5AC81.dip0.t-ipconnect.de [79.213.172.129]) by
 mx.zohomail.com with SMTPS id 156584835831481.52731430360791;
 Wed, 14 Aug 2019 22:52:38 -0700 (PDT)
References: <87ef1x4015.fsf@HIDDEN> <874l2sydbs.fsf@HIDDEN>
 <87zhkkk8a6.fsf@HIDDEN> <87ftmanxol.fsf@HIDDEN>
 <87imqzxygj.fsf@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.2
From: Ricardo Wurmus <rekado@HIDDEN>
To: Christopher Lemmer Webber <cwebber@HIDDEN>
Subject: Re: [bug#36956] [PATCH] machine: Automatically authorize the
 coordinator's signing key.
In-reply-to: <87imqzxygj.fsf@HIDDEN>
X-URL: https://elephly.net
X-PGP-Key: https://elephly.net/rekado.pubkey
X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
Date: Thu, 15 Aug 2019 07:52:33 +0200
Message-ID: <8736i3ug9q.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 36956
Cc: "Jakob L. Kreuze" <zerodaysfordays@HIDDEN>, 36956 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


Christopher Lemmer Webber <cwebber@HIDDEN> writes:

> Jakob L. Kreuze writes:
>
>> zerodaysfordays@HIDDEN (Jakob L. Kreuze) writes:
>>
>>> Hi Chris and Ricardo,
>>>
>>> Christopher Lemmer Webber <cwebber@HIDDEN> writes:
>>>
>>>> This seems like a good usability improvement. For clarity, I assume
>>>> that it's still configurable, however? Would be important if pushing
>>>> builds to a different machine.
>>>
>>> No, but you raise a good point :)  I'll update this patch to make it
>>> configurable.
>>>
>>> Ricardo Wurmus <rekado@HIDDEN> writes:
>>>
>>>> This will overwrite an existing acl file on the remote with a copy
>>>> that differs only in the newly added key.
>>>>
>>>> Is there a chance for corruption, e.g. if acl->public-keys returns
>>>> something unexpected?
>>>
>>> I suppose it's possible. 'guix archive --authorize' doesn't seem to do
>>> any specific handling for it, but it doesn't hurt to be paranoid -- we
>>> "atomically" overwrite the GC root for the bootloader configuration, for
>>> example, and we could do something similar here. I'll include it in the
>>> updated patch.
>>>
>>> Regards,
>>> Jakob
>>>
>>
>> I didn't think this all the way through when I wrote this response.
>> We're already using 'with-atomic-file-output', so we're already
>> "atomically" overwriting the ACL. Also, it wouldn't solve the issue of
>> 'acl->public-keys' returning something unexpected.
>>
>> I'm not sure I have a good solution for this at the moment.
>
> But it's only a problem for guix deploy so far, right?  So it shouldn't
> break existing, hopefully-stable guix systems and rather only
> bleeding-edge guix deploy systems, right? :)

It has the potential to break systems that are the target of =E2=80=9Cguix
deploy=E2=80=9D.  The expected breakage would be minor as the acl can be
regenerated.

> If that's true then let's file a bug about this issue and get this code
> merged after you get this in patch series form.

I agree.

--
Ricardo





Information forwarded to guix-patches@HIDDEN:
bug#36956; Package guix-patches. Full text available.

Message received at 36956 <at> debbugs.gnu.org:


Received: (at 36956) by debbugs.gnu.org; 14 Aug 2019 20:51:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Aug 14 16:51:27 2019
Received: from localhost ([127.0.0.1]:49788 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hy0Ew-0000gK-Pj
	for submit <at> debbugs.gnu.org; Wed, 14 Aug 2019 16:51:27 -0400
Received: from dustycloud.org ([50.116.34.160]:40244)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1hy0Ev-0000gB-4R
 for 36956 <at> debbugs.gnu.org; Wed, 14 Aug 2019 16:51:25 -0400
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id A750B26630;
 Wed, 14 Aug 2019 16:51:24 -0400 (EDT)
References: <87ef1x4015.fsf@HIDDEN> <874l2sydbs.fsf@HIDDEN>
 <87zhkkk8a6.fsf@HIDDEN> <87ftmanxol.fsf@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.2
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: "Jakob L. Kreuze" <zerodaysfordays@HIDDEN>
Subject: Re: [bug#36956] [PATCH] machine: Automatically authorize the
 coordinator's signing key.
In-reply-to: <87ftmanxol.fsf@HIDDEN>
Date: Wed, 14 Aug 2019 16:51:24 -0400
Message-ID: <87imqzxygj.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 36956
Cc: Ricardo Wurmus <rekado@HIDDEN>, 36956 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Jakob L. Kreuze writes:

> zerodaysfordays@HIDDEN (Jakob L. Kreuze) writes:
>
>> Hi Chris and Ricardo,
>>
>> Christopher Lemmer Webber <cwebber@HIDDEN> writes:
>>
>>> This seems like a good usability improvement. For clarity, I assume
>>> that it's still configurable, however? Would be important if pushing
>>> builds to a different machine.
>>
>> No, but you raise a good point :)  I'll update this patch to make it
>> configurable.
>>
>> Ricardo Wurmus <rekado@HIDDEN> writes:
>>
>>> This will overwrite an existing acl file on the remote with a copy
>>> that differs only in the newly added key.
>>>
>>> Is there a chance for corruption, e.g. if acl->public-keys returns
>>> something unexpected?
>>
>> I suppose it's possible. 'guix archive --authorize' doesn't seem to do
>> any specific handling for it, but it doesn't hurt to be paranoid -- we
>> "atomically" overwrite the GC root for the bootloader configuration, for
>> example, and we could do something similar here. I'll include it in the
>> updated patch.
>>
>> Regards,
>> Jakob
>>
>
> I didn't think this all the way through when I wrote this response.
> We're already using 'with-atomic-file-output', so we're already
> "atomically" overwriting the ACL. Also, it wouldn't solve the issue of
> 'acl->public-keys' returning something unexpected.
>
> I'm not sure I have a good solution for this at the moment.

But it's only a problem for guix deploy so far, right?  So it shouldn't
break existing, hopefully-stable guix systems and rather only
bleeding-edge guix deploy systems, right? :)

If that's true then let's file a bug about this issue and get this code
merged after you get this in patch series form.




Information forwarded to guix-patches@HIDDEN:
bug#36956; Package guix-patches. Full text available.

Message received at 36956 <at> debbugs.gnu.org:


Received: (at 36956) by debbugs.gnu.org; 9 Aug 2019 15:52:42 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Aug 09 11:52:42 2019
Received: from localhost ([127.0.0.1]:43149 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hw7C6-0006Vz-6J
	for submit <at> debbugs.gnu.org; Fri, 09 Aug 2019 11:52:42 -0400
Received: from mx.sdf.org ([205.166.94.20]:54608)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zerodaysfordays@HIDDEN>)
 id 1hw7C3-0006Vq-73
 for 36956 <at> debbugs.gnu.org; Fri, 09 Aug 2019 11:52:40 -0400
Received: from Upsilon (92-111-222-18.static.v4.ziggozakelijk.nl
 [92.111.222.18]) (authenticated (0 bits))
 by mx.sdf.org (8.15.2/8.14.5) with ESMTPSA id x79FqYGk028618
 (using TLSv1.2 with cipher AES256-GCM-SHA384 (256 bits) verified NO);
 Fri, 9 Aug 2019 15:52:37 GMT
From: zerodaysfordays@HIDDEN (Jakob L. Kreuze)
To: Christopher Lemmer Webber <cwebber@HIDDEN>
Subject: Re: [bug#36956] [PATCH] machine: Automatically authorize the
 coordinator's signing key.
References: <87ef1x4015.fsf@HIDDEN> <874l2sydbs.fsf@HIDDEN>
 <87zhkkk8a6.fsf@HIDDEN>
Date: Fri, 09 Aug 2019 11:52:26 -0400
In-Reply-To: <87zhkkk8a6.fsf@HIDDEN> (Jakob L. Kreuze's message of
 "Wed, 07 Aug 2019 16:52:33 -0400")
Message-ID: <87ftmanxol.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 36956
Cc: Ricardo Wurmus <rekado@HIDDEN>, 36956 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain

zerodaysfordays@HIDDEN (Jakob L. Kreuze) writes:

> Hi Chris and Ricardo,
>
> Christopher Lemmer Webber <cwebber@HIDDEN> writes:
>
>> This seems like a good usability improvement. For clarity, I assume
>> that it's still configurable, however? Would be important if pushing
>> builds to a different machine.
>
> No, but you raise a good point :)  I'll update this patch to make it
> configurable.
>
> Ricardo Wurmus <rekado@HIDDEN> writes:
>
>> This will overwrite an existing acl file on the remote with a copy
>> that differs only in the newly added key.
>>
>> Is there a chance for corruption, e.g. if acl->public-keys returns
>> something unexpected?
>
> I suppose it's possible. 'guix archive --authorize' doesn't seem to do
> any specific handling for it, but it doesn't hurt to be paranoid -- we
> "atomically" overwrite the GC root for the bootloader configuration, for
> example, and we could do something similar here. I'll include it in the
> updated patch.
>
> Regards,
> Jakob
>

I didn't think this all the way through when I wrote this response.
We're already using 'with-atomic-file-output', so we're already
"atomically" overwriting the ACL. Also, it wouldn't solve the issue of
'acl->public-keys' returning something unexpected.

I'm not sure I have a good solution for this at the moment.

Regards,
Jakob

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEa1VJLOiXAjQ2BGSm9Qb9Fp2P2VoFAl1NlroACgkQ9Qb9Fp2P
2VpCNA//abCG+W8GMq71/q4wjxkmX3KQcmZSINPMTLPFw68DLDAJpOn2ZATFoK39
KMOTanQ0/DVx8k2LMI1EIPypmOo7KvXW0tIWXNxNUnBWJ5eIjPhdFPq2kLaL9Tdp
h1g/tZ/BbS7ytS8z8Gb+jLipeVcGUflyCEGUEbQFf7Tzv/iNObD0j1E933c7CFMb
lJiTtGiB/J01tDhhxedFjEp8mdPRzBxVvcr6Jr9KElsZTC4JK1CHCkbeVBoHULsr
0vcvdXeZeufbZUvRJeQ8oD2kpPxPHwCZQKXIWMaB2en3zvOrFDC6QKf9cHVjyZBO
j+dwL/oBuNVjF4aqSWUaVcf6DEpU9qjgctmEdgHOO8pVPBIS1S/UwxJeoUR0gevG
RGtrkj9IEI9o6WbsjPD4huk5J19ovsA199PTf9dGk1y38TE+d1omJ7zKw4tlhn7t
4Nf3clzbz0kBzix4pcm95y4ny5bMV7mMgi7l0uVPiSclvKP0QmkmkXcz4EVbGeeS
UALQGkYoaQbX9tKKKjHFdHwRN4z6RWP9tPBaE1TsyQTeziDWPzI4TcC1tEnr4+VP
dbDn+PfmO50EFG3cQ7RUDQiCckUVU1846IXh2zlwE2Vbj1/V9UE1rgip1xzT4hwU
Oj00kcR/LnckKiXb9plGvzitdjZIAKPYQrGxpOLONu7zTkLPPE8=
=xHvn
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to guix-patches@HIDDEN:
bug#36956; Package guix-patches. Full text available.

Message received at 36956 <at> debbugs.gnu.org:


Received: (at 36956) by debbugs.gnu.org; 9 Aug 2019 15:49:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Aug 09 11:49:08 2019
Received: from localhost ([127.0.0.1]:43145 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hw78e-0006R4-HA
	for submit <at> debbugs.gnu.org; Fri, 09 Aug 2019 11:49:08 -0400
Received: from mx.sdf.org ([205.166.94.20]:55452)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zerodaysfordays@HIDDEN>)
 id 1hw78c-0006Qw-PC
 for 36956 <at> debbugs.gnu.org; Fri, 09 Aug 2019 11:49:07 -0400
Received: from Upsilon (92-111-222-18.static.v4.ziggozakelijk.nl
 [92.111.222.18]) (authenticated (0 bits))
 by mx.sdf.org (8.15.2/8.14.5) with ESMTPSA id x79FmqRF019434
 (using TLSv1.2 with cipher AES256-GCM-SHA384 (256 bits) verified NO);
 Fri, 9 Aug 2019 15:48:54 GMT
From: zerodaysfordays@HIDDEN (Jakob L. Kreuze)
To: Christopher Lemmer Webber <cwebber@HIDDEN>
Subject: Re: [bug#36956] [PATCH v2] machine: Automatically authorize the
 coordinator's signing
References: <87ef1x4015.fsf@HIDDEN> <874l2sydbs.fsf@HIDDEN>
 <87zhkkk8a6.fsf@HIDDEN>
Date: Fri, 09 Aug 2019 11:48:48 -0400
In-Reply-To: <87zhkkk8a6.fsf@HIDDEN> (Jakob L. Kreuze's message of
 "Wed, 07 Aug 2019 16:52:33 -0400")
Message-ID: <87k1bmnxun.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 36956
Cc: Ricardo Wurmus <rekado@HIDDEN>, 36956 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

* guix/ssh.scm (remote-authorize-signing-key): New variable.
* gnu/machine/ssh.scm (deploy-managed-host): Authorize coordinator's
signing key before any invocations of 'remote-eval'.
(deploy-managed-host): Display an error if a signing key does not exist.
* doc/guix.texi (Invoking guix deploy): Remove section describing manual
signing key authorization.
(Invoking guix deploy): Add section describing the 'authorize?' field.
=2D--
 doc/guix.texi       |  3 +++
 gnu/machine/ssh.scm | 31 +++++++++++++++++++++++++------
 guix/ssh.scm        | 23 +++++++++++++++++++++++
 3 files changed, 51 insertions(+), 6 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 1478749d7d..e9a0d7aa22 100644
=2D-- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25583,6 +25583,9 @@ with an @code{environment} of @code{managed-host-en=
vironment-type}.
=20
 @table @asis
 @item @code{host-name}
+@item @code{authorize?} (default: @code{#t})
+If true, the coordinator's signing key will be added to the remote's ACL
+keyring.
 @item @code{port} (default: @code{22})
 @item @code{user} (default: @code{"root"})
 @item @code{identity} (default: @code{#f})
diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm
index 57af0e4bff..320bc7fdb4 100644
=2D-- a/gnu/machine/ssh.scm
+++ b/gnu/machine/ssh.scm
@@ -28,13 +28,16 @@
   #:use-module (guix i18n)
   #:use-module (guix modules)
   #:use-module (guix monads)
+  #:use-module (guix pki)
   #:use-module (guix records)
   #:use-module (guix remote)
   #:use-module (guix scripts system reconfigure)
   #:use-module (guix ssh)
   #:use-module (guix store)
   #:use-module (guix utils)
+  #:use-module (gcrypt pk-crypto)
   #:use-module (ice-9 match)
+  #:use-module (ice-9 textual-ports)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
@@ -48,6 +51,7 @@
=20
             machine-ssh-configuration-host-name
             machine-ssh-configuration-build-locally?
+            machine-ssh-configuration-authorize?
             machine-ssh-configuration-port
             machine-ssh-configuration-user
             machine-ssh-configuration-session))
@@ -70,16 +74,18 @@
   make-machine-ssh-configuration
   machine-ssh-configuration?
   this-machine-ssh-configuration
=2D  (host-name      machine-ssh-configuration-host-name) ; string
=2D  (build-locally? machine-ssh-configuration-build-locally?
+  (host-name      machine-ssh-configuration-host-name)     ; string
+  (build-locally? machine-ssh-configuration-build-locally? ; boolean
                   (default #t))
=2D  (port           machine-ssh-configuration-port       ; integer
+  (authorize?     machine-ssh-configuration-authorize?     ; boolean
+                  (default #t))
+  (port           machine-ssh-configuration-port           ; integer
                   (default 22))
=2D  (user           machine-ssh-configuration-user       ; string
+  (user           machine-ssh-configuration-user           ; string
                   (default "root"))
=2D  (identity       machine-ssh-configuration-identity   ; path to a priva=
te key
+  (identity       machine-ssh-configuration-identity       ; path to a pri=
vate key
                   (default #f))
=2D  (session        machine-ssh-configuration-session    ; session
+  (session        machine-ssh-configuration-session        ; session
                   (default #f)))
=20
 (define (machine-ssh-session machine)
@@ -339,6 +345,19 @@ the 'should-roll-back' field set to SHOULD-ROLL-BACK?"
   "Internal implementation of 'deploy-machine' for MACHINE instances with =
an
 environment type of 'managed-host."
   (maybe-raise-unsupported-configuration-error machine)
+  (when (machine-ssh-configuration-authorize?
+         (machine-configuration machine))
+    (unless (file-exists? %public-key-file)
+      (raise (condition
+              (&message
+               (message (format #f (G_ "no signing key '~a'. \
+have you run 'guix archive --generate-key?'")
+                                %public-key-file))))))
+    (remote-authorize-signing-key (call-with-input-file %public-key-file
+                                    (lambda (port)
+                                      (string->canonical-sexp
+                                       (get-string-all port))))
+                                  (machine-ssh-session machine)))
   (mlet %store-monad ((_ (check-deployment-sanity machine))
                       (boot-parameters (machine-boot-parameters machine)))
     (let* ((os (machine-operating-system machine))
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 90311127a1..24834c6f68 100644
=2D-- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -21,6 +21,7 @@
   #:use-module (guix inferior)
   #:use-module (guix i18n)
   #:use-module ((guix utils) #:select (&fix-hint))
+  #:use-module (gcrypt pk-crypto)
   #:use-module (ssh session)
   #:use-module (ssh auth)
   #:use-module (ssh key)
@@ -40,6 +41,7 @@
             remote-daemon-channel
             connect-to-remote-daemon
             remote-system
+            remote-authorize-signing-key
             send-files
             retrieve-files
             retrieve-files*
@@ -300,6 +302,27 @@ the machine on the other end of SESSION."
   (inferior-remote-eval '(begin (use-modules (guix utils)) (%current-syste=
m))
                         session))
=20
+(define (remote-authorize-signing-key key session)
+  "Send KEY, a canonical sexp containing a public key, over SESSION and ad=
d it
+to the system ACL file if it has not yet been authorized."
+  (inferior-remote-eval
+   `(begin
+      (use-modules (guix build utils)
+                   (guix pki)
+                   (guix utils)
+                   (gcrypt pk-crypto)
+                   (srfi srfi-26))
+
+      (define acl (current-acl))
+      (define key (string->canonical-sexp ,(canonical-sexp->string key)))
+
+      (unless (authorized-key? key)
+        (let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
+          (mkdir-p (dirname %acl-file))
+          (with-atomic-file-output %acl-file
+            (cut write-acl acl <>)))))
+   session))
+
 (define* (send-files local files remote
                      #:key
                      recursive?
=2D-=20
2.22.0


--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEa1VJLOiXAjQ2BGSm9Qb9Fp2P2VoFAl1NleAACgkQ9Qb9Fp2P
2Vq3Yw/+PtbtOBDpQUVXkd6NHYJufLBVVOVM3A8OuG99SLIbn1vPOs2WVOeIOdN2
ZdmX3N9EgQQ/+hhhrDQyqwfqU8CaJlRzaNy0LNtiaKPqjr7As1orMgFDChiOKcpQ
BYJVz0QsJlgIFxsLWF18NTBy22U1ISrLBt1eicu5KumoEYYi7J5NaB/Dk4YMs6yn
eCTVo1/msuNKxyNhYVgDjDCXDQtl+y25P4sJ6r10ytg4l4M4uLrZDwmykmcS2ymx
+KxNkqPxBMLPIeBU10s4rJPzqGxxYHZrUxtTBL63rIodyqCZw5oGX07vanaYBBad
ZToSCimhgs2/SX4PFYG0tcFv8PnA5rUweaVDX9uh/u3px3mqKh1RC/0m4M6M9f1t
59JLgRC2Hkwnqe4ApCpgU73BN56u/tGMsByCcDe0DkoN40PulY+rb6PuVuxuIXwy
wIkFMNC71+s1hePF4zw5j2m9fXLWUn5KI3YTWDW6N54GmKyWr8f0NlM362EPuAGM
TMbgcSet7YrZwR9uukMLXDqxZDOQFrMktJizbjAGnMu+VYLollLH+DI8UGrelupp
lVuTsUvVARIHZzs5Y1cdJ37S0FnRMFzFazj2TmSDpvQa+r5GDCf7MEfKGNUsChoQ
CfHna1988pwGIT661xr82DADaOREhs+e9abARROHbgFrlrZ61Nw=
=W/25
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to guix-patches@HIDDEN:
bug#36956; Package guix-patches. Full text available.

Message received at 36956 <at> debbugs.gnu.org:


Received: (at 36956) by debbugs.gnu.org; 7 Aug 2019 20:55:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Aug 07 16:55:48 2019
Received: from localhost ([127.0.0.1]:39553 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hvSyK-0008BF-FD
	for submit <at> debbugs.gnu.org; Wed, 07 Aug 2019 16:55:48 -0400
Received: from mx.sdf.org ([205.166.94.20]:55203)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zerodaysfordays@HIDDEN>)
 id 1hvSyI-0008B7-RH
 for 36956 <at> debbugs.gnu.org; Wed, 07 Aug 2019 16:55:47 -0400
Received: from Epsilon (pool-173-76-53-40.bstnma.fios.verizon.net
 [173.76.53.40]) (authenticated (0 bits))
 by mx.sdf.org (8.15.2/8.14.5) with ESMTPSA id x77KtiA2009174
 (using TLSv1.2 with cipher AES256-GCM-SHA384 (256 bits) verified NO);
 Wed, 7 Aug 2019 20:55:45 GMT
From: zerodaysfordays@HIDDEN (Jakob L. Kreuze)
To: Christopher Lemmer Webber <cwebber@HIDDEN>,
 Ricardo Wurmus <rekado@HIDDEN>
Subject: Re: [bug#36956] [PATCH] machine: Automatically authorize the
 coordinator's signing key.
References: <87ef1x4015.fsf@HIDDEN> <874l2sydbs.fsf@HIDDEN>
Date: Wed, 07 Aug 2019 16:52:33 -0400
In-Reply-To: <874l2sydbs.fsf@HIDDEN> (Ricardo Wurmus's message of "Wed,
 07 Aug 2019 21:39:51 +0200")
Message-ID: <87zhkkk8a6.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 36956
Cc: 36956 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain

Hi Chris and Ricardo,

Christopher Lemmer Webber <cwebber@HIDDEN> writes:

> This seems like a good usability improvement. For clarity, I assume
> that it's still configurable, however? Would be important if pushing
> builds to a different machine.

No, but you raise a good point :)  I'll update this patch to make it
configurable.

Ricardo Wurmus <rekado@HIDDEN> writes:

> This will overwrite an existing acl file on the remote with a copy
> that differs only in the newly added key.
>
> Is there a chance for corruption, e.g. if acl->public-keys returns
> something unexpected?

I suppose it's possible. 'guix archive --authorize' doesn't seem to do
any specific handling for it, but it doesn't hurt to be paranoid -- we
"atomically" overwrite the GC root for the bootloader configuration, for
example, and we could do something similar here. I'll include it in the
updated patch.

Regards,
Jakob

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEa1VJLOiXAjQ2BGSm9Qb9Fp2P2VoFAl1LOhEACgkQ9Qb9Fp2P
2VpqPQ//TbUjZNEDExLpBNeLTAJg+0WOOdBViO/29MyRKraPxDqmGYGpZZdYVDYG
jrNZ3gvhWCdJ7qQINAFS4b/571fM2VYcGB0jW+34mXLSkTB3GaAhMTpLNva+P8HK
ZUAG+wPiBXL+eJZonZzOV+d2WJ3jrfWB2mx6cesATWSf44bb1d6/dMdiEm+QQxMF
cUj/GqEPS/tMoumMi8do4DF8OeklkED+6E2DchHA5wqoENzJgXJjRDqfRlQRbf2+
7NA5pgeT04x/MR+tDA//r97fAIoybF2GUO721agGZAahe4HJIXSexaJymw+7TVd0
pt/BPmRnzoAGMbff1K9Y1ql2cN/bjEGsoBFWDfVyiqUbPPB4Xc0cBExE6M9AYpeW
KQqa1x3ugW9+4OWNe+d1lyAgwNfXp9oDPC2s7POgjvWzBkWwVP0oYG6oVfooC0FC
DPtmO7UIaahQQqetHI+f7lms0K735Vp2cFjCdR1nSUFM9um+c+0d77hhrjHIUmRe
LuuycEqtIhSWRuVdU3pCgUJWeTAgoNM/HR06hWMpkEpKAPKKkGXfkosh9PI0UQuL
BgoF48h/1MErFRTjS3NArqZ3n83TOKAw2R22TBnWnjOYmHS/+JxcAwyKY6F27j8l
AQ2O44ygbAQosL6QinvH85Biacc+9mWuuTZusf3vb4N67/Cx80g=
=nYwb
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to guix-patches@HIDDEN:
bug#36956; Package guix-patches. Full text available.

Message received at 36956 <at> debbugs.gnu.org:


Received: (at 36956) by debbugs.gnu.org; 7 Aug 2019 19:40:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Aug 07 15:40:04 2019
Received: from localhost ([127.0.0.1]:39451 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hvRn2-0001cG-JC
	for submit <at> debbugs.gnu.org; Wed, 07 Aug 2019 15:40:04 -0400
Received: from sender-of-o51.zoho.com ([135.84.80.216]:21286)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rekado@HIDDEN>) id 1hvRmz-0001bj-6e
 for 36956 <at> debbugs.gnu.org; Wed, 07 Aug 2019 15:40:03 -0400
ARC-Seal: i=1; a=rsa-sha256; t=1565206796; cv=none; d=zoho.com; s=zohoarc; 
 b=eGoNyLgqlIxDiZWR6fUYLzjkVfGaKTbfX/WXJHVh19mG3DX8vGdKEUYgLFpuN8oUYJQJZaJ5udMRzJxcgldxug4+4v50hefvCGICbhnNqSPdV52Ks82H/Vij6gtyPB/lMnMtMFljviXdx4ceRN/Bpw3h0jzjKiaDjH7macvwzRc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
 s=zohoarc; t=1565206796;
 h=Content-Type:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To:ARC-Authentication-Results;
 bh=JV3GsD6D+3yHWbSCrByujH3xGdyMChvNgQQ5aeDFE3E=; 
 b=NuTzZjZbubLDQxCQYTI1NNNCR50tLbgSEiPcylvMyvR9a/kjIEVGPeOMqXtcjTwB7TBsDYc1QcZwmdGbE2kIOngmRCJeAWKnajtAl0jslpNJlZZbMQZA2Psa8e6FdUl/vy+6KWlS6eH83BNsKLgnzQybKjg5ptLvPxb7jvYTtvk=
ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass  header.i=elephly.net;
 spf=pass  smtp.mailfrom=rekado@HIDDEN;
 dmarc=pass header.from=<rekado@HIDDEN> header.from=<rekado@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1565206796; 
 s=zoho; d=elephly.net; i=rekado@HIDDEN;
 h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type;
 l=989; bh=JV3GsD6D+3yHWbSCrByujH3xGdyMChvNgQQ5aeDFE3E=;
 b=FwnndZ+JUusPKbaj0U+xP6tAHmNYvod+Rzg8/6/NXAQt/v5KdMeUDDt28YRecBFe
 Xcl9FKYUX5AZSLGyO08SUswqoqoWyCJGSV6w3TY1c7lIGiTphUvYDswQVyKaEgyBnJa
 ilybqTuDKwQQv/FjmbFU1V73BJGVuGmEu+01SaQE=
Received: from localhost (p54AD4F61.dip0.t-ipconnect.de [84.173.79.97]) by
 mx.zohomail.com with SMTPS id 1565206795607695.990957731765;
 Wed, 7 Aug 2019 12:39:55 -0700 (PDT)
References: <87ef1x4015.fsf@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.2
From: Ricardo Wurmus <rekado@HIDDEN>
To: Jakob L. Kreuze <zerodaysfordays@HIDDEN>
Subject: Re: [bug#36956] [PATCH] machine: Automatically authorize the
 coordinator's signing key.
In-reply-to: <87ef1x4015.fsf@HIDDEN>
X-URL: https://elephly.net
X-PGP-Key: https://elephly.net/rekado.pubkey
X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
Date: Wed, 07 Aug 2019 21:39:51 +0200
Message-ID: <874l2sydbs.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-ZohoMailClient: External
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 36956
Cc: 36956 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


Jakob L. Kreuze <zerodaysfordays@HIDDEN> writes:

> +(define (remote-authorize-signing-key key session)
> +  "Send KEY, a canonical sexp containing a public key, over SESSION and add it
> +to the system ACL file if it has not yet been authorized."
> +  (inferior-remote-eval
> +   `(begin
> +      (use-modules (guix build utils)
> +                   (guix pki)
> +                   (guix utils)
> +                   (gcrypt pk-crypto)
> +                   (srfi srfi-26))
> +
> +      (define acl (current-acl))
> +      (define key (string->canonical-sexp ,(canonical-sexp->string key)))
> +
> +      (unless (authorized-key? key)
> +        (let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
> +          (mkdir-p (dirname %acl-file))
> +          (with-atomic-file-output %acl-file
> +            (cut write-acl acl <>)))))
> +   session))
> +

This will overwrite an existing acl file on the remote with a copy that
differs only in the newly added key.

Is there a chance for corruption, e.g. if acl->public-keys returns
something unexpected?

--
Ricardo





Information forwarded to guix-patches@HIDDEN:
bug#36956; Package guix-patches. Full text available.

Message received at 36956 <at> debbugs.gnu.org:


Received: (at 36956) by debbugs.gnu.org; 7 Aug 2019 19:21:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Aug 07 15:21:24 2019
Received: from localhost ([127.0.0.1]:39404 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hvRUx-00012H-Px
	for submit <at> debbugs.gnu.org; Wed, 07 Aug 2019 15:21:24 -0400
Received: from dustycloud.org ([50.116.34.160]:56326)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1hvRUw-000128-4Y
 for 36956 <at> debbugs.gnu.org; Wed, 07 Aug 2019 15:21:22 -0400
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 9EABD2661E;
 Wed,  7 Aug 2019 15:21:17 -0400 (EDT)
References: <87ef1x4015.fsf@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.2
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: guix-patches@HIDDEN
Subject: Re: [bug#36956] [PATCH] machine: Automatically authorize the
 coordinator's signing key.
In-reply-to: <87ef1x4015.fsf@HIDDEN>
Date: Wed, 07 Aug 2019 15:18:47 -0400
Message-ID: <874l2spyw8.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 36956
Cc: 36956 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

This seems like a good usability improvement.  For clarity, I assume
that it's still configurable, however?  Would be important if pushing
builds to a different machine.

Jakob L. Kreuze writes:

> * guix/ssh.scm (remote-authorize-signing-key): New variable.
> * gnu/machine/ssh.scm (deploy-managed-host): Authorize coordinator's
> signing key before any invocations of 'remote-eval'.
> * guix/scripts/deploy.scm (guix-deploy): Display an error if a signing
> key does not exist.
> * doc/guix.texi (Invoking guix deploy): Remove section describing manual
> signing key authorization.
> ---
>  doc/guix.texi           | 16 ----------------
>  gnu/machine/ssh.scm     |  7 +++++++
>  guix/scripts/deploy.scm |  7 +++++++
>  guix/ssh.scm            | 23 +++++++++++++++++++++++
>  4 files changed, 37 insertions(+), 16 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 734206a4b2..64ca44d494 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -25530,22 +25530,6 @@ complex deployment may involve, for example, starting virtual machines through
>  a Virtual Private Server (VPS) provider.  In such a case, a different
>  @var{environment} type would be used.
>  
> -Do note that you first need to generate a key pair on the coordinator machine
> -to allow the daemon to export signed archives of files from the store
> -(@pxref{Invoking guix archive}).
> -
> -@example
> -# guix archive --generate-key
> -@end example
> -
> -@noindent
> -Each target machine must authorize the key of the master machine so that it
> -accepts store items it receives from the coordinator:
> -
> -@example
> -# guix archive --authorize < coordinator-public-key.txt
> -@end example
> -
>  @deftp {Data Type} machine
>  This is the data type representing a single machine in a heterogeneous Guix
>  deployment.
> diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm
> index 1f16d9a5ea..90deff19a8 100644
> --- a/gnu/machine/ssh.scm
> +++ b/gnu/machine/ssh.scm
> @@ -28,13 +28,16 @@
>    #:use-module (guix i18n)
>    #:use-module (guix modules)
>    #:use-module (guix monads)
> +  #:use-module (guix pki)
>    #:use-module (guix records)
>    #:use-module (guix remote)
>    #:use-module (guix scripts system reconfigure)
>    #:use-module (guix ssh)
>    #:use-module (guix store)
>    #:use-module (guix utils)
> +  #:use-module (gcrypt pk-crypto)
>    #:use-module (ice-9 match)
> +  #:use-module (ice-9 textual-ports)
>    #:use-module (srfi srfi-1)
>    #:use-module (srfi srfi-19)
>    #:use-module (srfi srfi-26)
> @@ -329,6 +332,10 @@ the 'should-roll-back' field set to SHOULD-ROLL-BACK?"
>    "Internal implementation of 'deploy-machine' for MACHINE instances with an
>  environment type of 'managed-host."
>    (maybe-raise-unsupported-configuration-error machine)
> +  (remote-authorize-signing-key (call-with-input-file %public-key-file
> +                                  (lambda (port)
> +                                    (string->canonical-sexp (get-string-all port))))
> +                                (machine-ssh-session machine))
>    (mlet %store-monad ((_ (check-deployment-sanity machine))
>                        (boot-parameters (machine-boot-parameters machine)))
>      (let* ((os (machine-operating-system machine))
> diff --git a/guix/scripts/deploy.scm b/guix/scripts/deploy.scm
> index 6a67985c8b..075c74d395 100644
> --- a/guix/scripts/deploy.scm
> +++ b/guix/scripts/deploy.scm
> @@ -20,6 +20,7 @@
>  (define-module (guix scripts deploy)
>    #:use-module (gnu machine)
>    #:use-module (guix discovery)
> +  #:use-module (guix pki)
>    #:use-module (guix scripts)
>    #:use-module (guix scripts build)
>    #:use-module (guix store)
> @@ -83,6 +84,12 @@ Perform the deployment specified by FILE.\n"))
>  (define (guix-deploy . args)
>    (define (handle-argument arg result)
>      (alist-cons 'file arg result))
> +
> +  (unless (file-exists? %public-key-file)
> +    (leave (G_ "no signing key '~a'
> +have you run 'guix archive --generate-key?'~%")
> +           %public-key-file))
> +
>    (let* ((opts (parse-command-line args %options (list %default-options)
>                                     #:argument-handler handle-argument))
>           (file (assq-ref opts 'file))
> diff --git a/guix/ssh.scm b/guix/ssh.scm
> index 9b5ca68894..5186c646ca 100644
> --- a/guix/ssh.scm
> +++ b/guix/ssh.scm
> @@ -21,6 +21,7 @@
>    #:use-module (guix inferior)
>    #:use-module (guix i18n)
>    #:use-module ((guix utils) #:select (&fix-hint))
> +  #:use-module (gcrypt pk-crypto)
>    #:use-module (ssh session)
>    #:use-module (ssh auth)
>    #:use-module (ssh key)
> @@ -40,6 +41,7 @@
>              remote-daemon-channel
>              connect-to-remote-daemon
>              remote-system
> +            remote-authorize-signing-key
>              send-files
>              retrieve-files
>              retrieve-files*
> @@ -289,6 +291,27 @@ the machine on the other end of SESSION."
>    (inferior-remote-eval '(begin (use-modules (guix utils)) (%current-system))
>                          session))
>  
> +(define (remote-authorize-signing-key key session)
> +  "Send KEY, a canonical sexp containing a public key, over SESSION and add it
> +to the system ACL file if it has not yet been authorized."
> +  (inferior-remote-eval
> +   `(begin
> +      (use-modules (guix build utils)
> +                   (guix pki)
> +                   (guix utils)
> +                   (gcrypt pk-crypto)
> +                   (srfi srfi-26))
> +
> +      (define acl (current-acl))
> +      (define key (string->canonical-sexp ,(canonical-sexp->string key)))
> +
> +      (unless (authorized-key? key)
> +        (let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
> +          (mkdir-p (dirname %acl-file))
> +          (with-atomic-file-output %acl-file
> +            (cut write-acl acl <>)))))
> +   session))
> +
>  (define* (send-files local files remote
>                       #:key
>                       recursive?





Information forwarded to guix-patches@HIDDEN:
bug#36956; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 7 Aug 2019 19:21:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Aug 07 15:21:32 2019
Received: from localhost ([127.0.0.1]:39410 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hvRV5-00012s-Va
	for submit <at> debbugs.gnu.org; Wed, 07 Aug 2019 15:21:32 -0400
Received: from lists.gnu.org ([209.51.188.17]:34845)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <cwebber@HIDDEN>) id 1hvRV3-00012V-5e
 for submit <at> debbugs.gnu.org; Wed, 07 Aug 2019 15:21:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48978)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <cwebber@HIDDEN>) id 1hvRV0-0002vb-QG
 for guix-patches@HIDDEN; Wed, 07 Aug 2019 15:21:29 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <cwebber@HIDDEN>) id 1hvRUw-0005V4-H4
 for guix-patches@HIDDEN; Wed, 07 Aug 2019 15:21:23 -0400
Received: from dustycloud.org ([50.116.34.160]:44830)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <cwebber@HIDDEN>)
 id 1hvRUw-0005UV-Bk
 for guix-patches@HIDDEN; Wed, 07 Aug 2019 15:21:22 -0400
Received: from twig (localhost [127.0.0.1])
 by dustycloud.org (Postfix) with ESMTPS id 9EABD2661E;
 Wed,  7 Aug 2019 15:21:17 -0400 (EDT)
References: <87ef1x4015.fsf@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.2
From: Christopher Lemmer Webber <cwebber@HIDDEN>
To: guix-patches@HIDDEN
Subject: Re: [bug#36956] [PATCH] machine: Automatically authorize the
 coordinator's signing key.
In-reply-to: <87ef1x4015.fsf@HIDDEN>
Date: Wed, 07 Aug 2019 15:18:47 -0400
Message-ID: <874l2spyw8.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 50.116.34.160
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: 36956 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

This seems like a good usability improvement.  For clarity, I assume
that it's still configurable, however?  Would be important if pushing
builds to a different machine.

Jakob L. Kreuze writes:

> * guix/ssh.scm (remote-authorize-signing-key): New variable.
> * gnu/machine/ssh.scm (deploy-managed-host): Authorize coordinator's
> signing key before any invocations of 'remote-eval'.
> * guix/scripts/deploy.scm (guix-deploy): Display an error if a signing
> key does not exist.
> * doc/guix.texi (Invoking guix deploy): Remove section describing manual
> signing key authorization.
> ---
>  doc/guix.texi           | 16 ----------------
>  gnu/machine/ssh.scm     |  7 +++++++
>  guix/scripts/deploy.scm |  7 +++++++
>  guix/ssh.scm            | 23 +++++++++++++++++++++++
>  4 files changed, 37 insertions(+), 16 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 734206a4b2..64ca44d494 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -25530,22 +25530,6 @@ complex deployment may involve, for example, starting virtual machines through
>  a Virtual Private Server (VPS) provider.  In such a case, a different
>  @var{environment} type would be used.
>  
> -Do note that you first need to generate a key pair on the coordinator machine
> -to allow the daemon to export signed archives of files from the store
> -(@pxref{Invoking guix archive}).
> -
> -@example
> -# guix archive --generate-key
> -@end example
> -
> -@noindent
> -Each target machine must authorize the key of the master machine so that it
> -accepts store items it receives from the coordinator:
> -
> -@example
> -# guix archive --authorize < coordinator-public-key.txt
> -@end example
> -
>  @deftp {Data Type} machine
>  This is the data type representing a single machine in a heterogeneous Guix
>  deployment.
> diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm
> index 1f16d9a5ea..90deff19a8 100644
> --- a/gnu/machine/ssh.scm
> +++ b/gnu/machine/ssh.scm
> @@ -28,13 +28,16 @@
>    #:use-module (guix i18n)
>    #:use-module (guix modules)
>    #:use-module (guix monads)
> +  #:use-module (guix pki)
>    #:use-module (guix records)
>    #:use-module (guix remote)
>    #:use-module (guix scripts system reconfigure)
>    #:use-module (guix ssh)
>    #:use-module (guix store)
>    #:use-module (guix utils)
> +  #:use-module (gcrypt pk-crypto)
>    #:use-module (ice-9 match)
> +  #:use-module (ice-9 textual-ports)
>    #:use-module (srfi srfi-1)
>    #:use-module (srfi srfi-19)
>    #:use-module (srfi srfi-26)
> @@ -329,6 +332,10 @@ the 'should-roll-back' field set to SHOULD-ROLL-BACK?"
>    "Internal implementation of 'deploy-machine' for MACHINE instances with an
>  environment type of 'managed-host."
>    (maybe-raise-unsupported-configuration-error machine)
> +  (remote-authorize-signing-key (call-with-input-file %public-key-file
> +                                  (lambda (port)
> +                                    (string->canonical-sexp (get-string-all port))))
> +                                (machine-ssh-session machine))
>    (mlet %store-monad ((_ (check-deployment-sanity machine))
>                        (boot-parameters (machine-boot-parameters machine)))
>      (let* ((os (machine-operating-system machine))
> diff --git a/guix/scripts/deploy.scm b/guix/scripts/deploy.scm
> index 6a67985c8b..075c74d395 100644
> --- a/guix/scripts/deploy.scm
> +++ b/guix/scripts/deploy.scm
> @@ -20,6 +20,7 @@
>  (define-module (guix scripts deploy)
>    #:use-module (gnu machine)
>    #:use-module (guix discovery)
> +  #:use-module (guix pki)
>    #:use-module (guix scripts)
>    #:use-module (guix scripts build)
>    #:use-module (guix store)
> @@ -83,6 +84,12 @@ Perform the deployment specified by FILE.\n"))
>  (define (guix-deploy . args)
>    (define (handle-argument arg result)
>      (alist-cons 'file arg result))
> +
> +  (unless (file-exists? %public-key-file)
> +    (leave (G_ "no signing key '~a'
> +have you run 'guix archive --generate-key?'~%")
> +           %public-key-file))
> +
>    (let* ((opts (parse-command-line args %options (list %default-options)
>                                     #:argument-handler handle-argument))
>           (file (assq-ref opts 'file))
> diff --git a/guix/ssh.scm b/guix/ssh.scm
> index 9b5ca68894..5186c646ca 100644
> --- a/guix/ssh.scm
> +++ b/guix/ssh.scm
> @@ -21,6 +21,7 @@
>    #:use-module (guix inferior)
>    #:use-module (guix i18n)
>    #:use-module ((guix utils) #:select (&fix-hint))
> +  #:use-module (gcrypt pk-crypto)
>    #:use-module (ssh session)
>    #:use-module (ssh auth)
>    #:use-module (ssh key)
> @@ -40,6 +41,7 @@
>              remote-daemon-channel
>              connect-to-remote-daemon
>              remote-system
> +            remote-authorize-signing-key
>              send-files
>              retrieve-files
>              retrieve-files*
> @@ -289,6 +291,27 @@ the machine on the other end of SESSION."
>    (inferior-remote-eval '(begin (use-modules (guix utils)) (%current-system))
>                          session))
>  
> +(define (remote-authorize-signing-key key session)
> +  "Send KEY, a canonical sexp containing a public key, over SESSION and add it
> +to the system ACL file if it has not yet been authorized."
> +  (inferior-remote-eval
> +   `(begin
> +      (use-modules (guix build utils)
> +                   (guix pki)
> +                   (guix utils)
> +                   (gcrypt pk-crypto)
> +                   (srfi srfi-26))
> +
> +      (define acl (current-acl))
> +      (define key (string->canonical-sexp ,(canonical-sexp->string key)))
> +
> +      (unless (authorized-key? key)
> +        (let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
> +          (mkdir-p (dirname %acl-file))
> +          (with-atomic-file-output %acl-file
> +            (cut write-acl acl <>)))))
> +   session))
> +
>  (define* (send-files local files remote
>                       #:key
>                       recursive?





Information forwarded to guix-patches@HIDDEN:
bug#36956; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 7 Aug 2019 12:48:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Aug 07 08:48:28 2019
Received: from localhost ([127.0.0.1]:38176 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hvLMi-0000Qs-1l
	for submit <at> debbugs.gnu.org; Wed, 07 Aug 2019 08:48:28 -0400
Received: from lists.gnu.org ([209.51.188.17]:37546)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zerodaysfordays@HIDDEN>)
 id 1hvLMg-0000Qj-Gs
 for submit <at> debbugs.gnu.org; Wed, 07 Aug 2019 08:48:26 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:49094)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <zerodaysfordays@HIDDEN>)
 id 1hvLMf-0001Qh-48
 for guix-patches@HIDDEN; Wed, 07 Aug 2019 08:48:26 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <zerodaysfordays@HIDDEN>)
 id 1hvLMd-0005m1-T7
 for guix-patches@HIDDEN; Wed, 07 Aug 2019 08:48:25 -0400
Received: from mx.sdf.org ([205.166.94.20]:64903)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <zerodaysfordays@HIDDEN>)
 id 1hvLMd-0005lI-LL
 for guix-patches@HIDDEN; Wed, 07 Aug 2019 08:48:23 -0400
Received: from Epsilon (pool-173-76-53-40.bstnma.fios.verizon.net
 [173.76.53.40]) (authenticated (0 bits))
 by mx.sdf.org (8.15.2/8.14.5) with ESMTPSA id x77CmLU8020701
 (using TLSv1.2 with cipher AES256-GCM-SHA384 (256 bits) verified NO)
 for <guix-patches@HIDDEN>; Wed, 7 Aug 2019 12:48:22 GMT
From: zerodaysfordays@HIDDEN (Jakob L. Kreuze)
To: guix-patches@HIDDEN
Subject: [PATCH] machine: Automatically authorize the coordinator's signing
 key.
Date: Wed, 07 Aug 2019 08:45:10 -0400
Message-ID: <87ef1x4015.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 205.166.94.20
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

* guix/ssh.scm (remote-authorize-signing-key): New variable.
* gnu/machine/ssh.scm (deploy-managed-host): Authorize coordinator's
signing key before any invocations of 'remote-eval'.
* guix/scripts/deploy.scm (guix-deploy): Display an error if a signing
key does not exist.
* doc/guix.texi (Invoking guix deploy): Remove section describing manual
signing key authorization.
=2D--
 doc/guix.texi           | 16 ----------------
 gnu/machine/ssh.scm     |  7 +++++++
 guix/scripts/deploy.scm |  7 +++++++
 guix/ssh.scm            | 23 +++++++++++++++++++++++
 4 files changed, 37 insertions(+), 16 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 734206a4b2..64ca44d494 100644
=2D-- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -25530,22 +25530,6 @@ complex deployment may involve, for example, start=
ing virtual machines through
 a Virtual Private Server (VPS) provider.  In such a case, a different
 @var{environment} type would be used.
=20
=2DDo note that you first need to generate a key pair on the coordinator ma=
chine
=2Dto allow the daemon to export signed archives of files from the store
=2D(@pxref{Invoking guix archive}).
=2D
=2D@example
=2D# guix archive --generate-key
=2D@end example
=2D
=2D@noindent
=2DEach target machine must authorize the key of the master machine so that=
 it
=2Daccepts store items it receives from the coordinator:
=2D
=2D@example
=2D# guix archive --authorize < coordinator-public-key.txt
=2D@end example
=2D
 @deftp {Data Type} machine
 This is the data type representing a single machine in a heterogeneous Guix
 deployment.
diff --git a/gnu/machine/ssh.scm b/gnu/machine/ssh.scm
index 1f16d9a5ea..90deff19a8 100644
=2D-- a/gnu/machine/ssh.scm
+++ b/gnu/machine/ssh.scm
@@ -28,13 +28,16 @@
   #:use-module (guix i18n)
   #:use-module (guix modules)
   #:use-module (guix monads)
+  #:use-module (guix pki)
   #:use-module (guix records)
   #:use-module (guix remote)
   #:use-module (guix scripts system reconfigure)
   #:use-module (guix ssh)
   #:use-module (guix store)
   #:use-module (guix utils)
+  #:use-module (gcrypt pk-crypto)
   #:use-module (ice-9 match)
+  #:use-module (ice-9 textual-ports)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-19)
   #:use-module (srfi srfi-26)
@@ -329,6 +332,10 @@ the 'should-roll-back' field set to SHOULD-ROLL-BACK?"
   "Internal implementation of 'deploy-machine' for MACHINE instances with =
an
 environment type of 'managed-host."
   (maybe-raise-unsupported-configuration-error machine)
+  (remote-authorize-signing-key (call-with-input-file %public-key-file
+                                  (lambda (port)
+                                    (string->canonical-sexp (get-string-al=
l port))))
+                                (machine-ssh-session machine))
   (mlet %store-monad ((_ (check-deployment-sanity machine))
                       (boot-parameters (machine-boot-parameters machine)))
     (let* ((os (machine-operating-system machine))
diff --git a/guix/scripts/deploy.scm b/guix/scripts/deploy.scm
index 6a67985c8b..075c74d395 100644
=2D-- a/guix/scripts/deploy.scm
+++ b/guix/scripts/deploy.scm
@@ -20,6 +20,7 @@
 (define-module (guix scripts deploy)
   #:use-module (gnu machine)
   #:use-module (guix discovery)
+  #:use-module (guix pki)
   #:use-module (guix scripts)
   #:use-module (guix scripts build)
   #:use-module (guix store)
@@ -83,6 +84,12 @@ Perform the deployment specified by FILE.\n"))
 (define (guix-deploy . args)
   (define (handle-argument arg result)
     (alist-cons 'file arg result))
+
+  (unless (file-exists? %public-key-file)
+    (leave (G_ "no signing key '~a'
+have you run 'guix archive --generate-key?'~%")
+           %public-key-file))
+
   (let* ((opts (parse-command-line args %options (list %default-options)
                                    #:argument-handler handle-argument))
          (file (assq-ref opts 'file))
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 9b5ca68894..5186c646ca 100644
=2D-- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -21,6 +21,7 @@
   #:use-module (guix inferior)
   #:use-module (guix i18n)
   #:use-module ((guix utils) #:select (&fix-hint))
+  #:use-module (gcrypt pk-crypto)
   #:use-module (ssh session)
   #:use-module (ssh auth)
   #:use-module (ssh key)
@@ -40,6 +41,7 @@
             remote-daemon-channel
             connect-to-remote-daemon
             remote-system
+            remote-authorize-signing-key
             send-files
             retrieve-files
             retrieve-files*
@@ -289,6 +291,27 @@ the machine on the other end of SESSION."
   (inferior-remote-eval '(begin (use-modules (guix utils)) (%current-syste=
m))
                         session))
=20
+(define (remote-authorize-signing-key key session)
+  "Send KEY, a canonical sexp containing a public key, over SESSION and ad=
d it
+to the system ACL file if it has not yet been authorized."
+  (inferior-remote-eval
+   `(begin
+      (use-modules (guix build utils)
+                   (guix pki)
+                   (guix utils)
+                   (gcrypt pk-crypto)
+                   (srfi srfi-26))
+
+      (define acl (current-acl))
+      (define key (string->canonical-sexp ,(canonical-sexp->string key)))
+
+      (unless (authorized-key? key)
+        (let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
+          (mkdir-p (dirname %acl-file))
+          (with-atomic-file-output %acl-file
+            (cut write-acl acl <>)))))
+   session))
+
 (define* (send-files local files remote
                      #:key
                      recursive?
=2D-=20
2.22.0


--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEa1VJLOiXAjQ2BGSm9Qb9Fp2P2VoFAl1Kx9YACgkQ9Qb9Fp2P
2VpmcxAAnAGpa4RPKS+w2N9GBP8MlCBcduVQptguNKAIGRMQt3a6ZK+WTf10xtWk
un9fEthxEwdowrhEEAb7WdJFvQku652sN+7XEwSVEg8ELDl1nXy1cVrm6HZHdxRf
kuzH6Lhc4X51RgoH5k+ORUF0E7gmGp0gG8I2kB1LrROZkYX2SqzhVTV9gpG/Ve4D
GnQk63osKFIXMtQiteGgJCX6GWMDBPdp9GRJ1t4gfxNkac9j3VO45ots0IGDTjUC
7qU5P8wsbs1OMd0s4oGYwMy5DJQzj4/HJH205oP3N4gQIntfCCuYt5TI7j2Uolb5
jPXN9CGrAxoWKMADnqpBx5LIhYL/+tKaxPcPs7snuB/hL65xhgJQ6sHiItIfGJ6g
fbzfirJn8AF/KzyhmRl+7bchw1N6cPXZb+Hnxl8U9sMFywa3cm19F3qnv8IARf9W
smodzOOvOkKtP7Va4rMn5Q7Hzj/OAS7aJEaL9oG1ukPpl4uQrrMHboyRqZuqCCFF
ZLh0CYDLNrSq4PoQCYZRfLklmhhF331b7kYq9ckuo1ICF44ridQ1UMoy+ngHIrEE
He6Ky5nvWsW8C4ZksotcDBfU90gMfkr1Y049NEzs016H8hAFrwu+UPJwDYKME1fi
daAZFe3e9qQYZ5SNvE6Wx7e7u/ZaQRklwX5ZMAnJW/meiJlmlkw=
=kkbD
-----END PGP SIGNATURE-----
--=-=-=--




Acknowledgement sent to zerodaysfordays@HIDDEN (Jakob L. Kreuze):
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#36956; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Thu, 15 Aug 2019 06:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.