GNU bug report logs -
#71918
[DOCUMENTATION] the suggested key import method for `guix refresh` doesn't work
Previous Next
To reply to this bug, email your comments to 71918 AT debbugs.gnu.org.
There is no need to reopen the bug first.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#71918; Package
guix.
(Wed, 03 Jul 2024 14:49:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Attila Lendvai <attila <at> lendvai.name>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Wed, 03 Jul 2024 14:49:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
context:
--------
i was trying to:
$ ./pre-inst-env guix refresh --update dropbear
but the key is not imported, because "no user ID". apparently some keyservers drop the user id for privacy reasons.
the problem:
------------
then i went to the manual, and it suggests:
$ gpg --export rms <at> gnu.org | kbxutil --import-openpgp >> mykeyring.kbx
and i ran:
$ curl https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc | gpg --import
$ gpg --export F7347EF2EE2E07A267628CA944931494F29C6773 | kbxutil --import-openpgp >>~/.config/guix/upstream/trustedkeys.kbx
it ran without errors, but when i tried to guix refresh it failed with:
gpgv: [don't know]: invalid packet (ctb=00)
i double checked, and made sure the trustedkeys.kbx was empty prior to running the above.
analysis:
---------
i ran the following after guix refresh has successfully imported the key:
$ gpg --export F7347EF2EE2E07A267628CA944931494F29C6773 | kbxutil --import-openpgp >x
$ file x
x: data
$ file ~/.config/guix/upstream/trustedkeys.kbx
/home/user/.config/guix/upstream/trustedkeys.kbx: OpenPGP Public Key Version 4, Created Mon Jun 29 12:53:01 2015, RSA (Encrypt or Sign, 4096 bits)
$ ll x
-rw-r--r-- 1 user users 1883 Jul 3 16:41 x
$ ll ~/.config/guix/upstream/trustedkeys.kbx
-rw-r--r-- 1 user users 1208 Jul 3 16:18 /home/user/.config/guix/upstream/trustedkeys.kbx
i.e. what the manual suggests results in a different file format than what guix refresh creates/expects.
workaround:
-----------
in the end i cleared the trustedkeys.kbx file, and i used another keyserver that doesn't strip the ID:
./pre-inst-env guix refresh --key-server="hkps://keyserver.ubuntu.com" --update dropbear
--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“Good people don’t need laws to tell them to act responsibly, and bad people will find a way around the laws.”
— Plato (c. 427–347 BC)
Information forwarded
to
bug-guix <at> gnu.org:
bug#71918; Package
guix.
(Wed, 24 Jul 2024 21:45:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 71918 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
Attila Lendvai <attila <at> lendvai.name> skribis:
> i was trying to:
>
> $ ./pre-inst-env guix refresh --update dropbear
>
> but the key is not imported, because "no user ID". apparently some keyservers drop the user id for privacy reasons.
Yes, that’s the case of keys.openpgp.org, unless the user explicitly
consented to publishing user ID packets:
https://keys.openpgp.org/about
> then i went to the manual, and it suggests:
>
> $ gpg --export rms <at> gnu.org | kbxutil --import-openpgp >> mykeyring.kbx
[...]
> i.e. what the manual suggests results in a different file format than what guix refresh creates/expects.
Ouch. (I’m pretty sure I tested it back then, maybe something changed?)
Since that part is not so useful anyway, how about dropping the now
incorrect bit about kbxutil, like so:
[Message part 2 (text/x-patch, inline)]
diff --git a/doc/guix.texi b/doc/guix.texi
index 9ba96af459..7323931bad 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15050,14 +15050,7 @@ Invoking guix refresh
missing keys are downloaded to this keyring as well (see
@option{--key-download} below).
-You can export keys from your default GPG keyring into a keybox file using
-commands like this one:
-
-@example
-gpg --export rms@@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx
-@end example
-
-Likewise, you can fetch keys to a specific keybox file like this:
+You can fetch keys to a specific keybox file like this:
@example
gpg --no-default-keyring --keyring mykeyring.kbx \
[Message part 3 (text/plain, inline)]
?
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#71918; Package
guix.
(Tue, 11 Mar 2025 14:03:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 71918 <at> debbugs.gnu.org (full text, mbox):
Hi Attila,
Attila Lendvai <attila <at> lendvai.name> writes:
[...]
> workaround:
> -----------
>
> in the end i cleared the trustedkeys.kbx file, and i used another keyserver that doesn't strip the ID:
>
> ./pre-inst-env guix refresh --key-server="hkps://keyserver.ubuntu.com" --update dropbear
I believe the above key server has been the default for a few years
already. Perhaps you have a personal gnupg config pointing to a
different server?
--
Thanks,
Maxim
Information forwarded
to
bug-guix <at> gnu.org:
bug#71918; Package
guix.
(Tue, 11 Mar 2025 14:04:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 71918 <at> debbugs.gnu.org (full text, mbox):
Hi,
Ludovic Courtès <ludo <at> gnu.org> writes:
[...]
> Ouch. (I’m pretty sure I tested it back then, maybe something changed?)
>
> Since that part is not so useful anyway, how about dropping the now
> incorrect bit about kbxutil, like so:
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 9ba96af459..7323931bad 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -15050,14 +15050,7 @@ Invoking guix refresh
> missing keys are downloaded to this keyring as well (see
> @option{--key-download} below).
>
> -You can export keys from your default GPG keyring into a keybox file using
> -commands like this one:
> -
> -@example
> -gpg --export rms@@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx
> -@end example
> -
> -Likewise, you can fetch keys to a specific keybox file like this:
> +You can fetch keys to a specific keybox file like this:
>
> @example
> gpg --no-default-keyring --keyring mykeyring.kbx \
Sounds reasonable to me.
--
Thanks,
Maxim
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Tue, 25 Mar 2025 09:05:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Attila Lendvai <attila <at> lendvai.name>:
bug acknowledged by developer.
(Tue, 25 Mar 2025 09:05:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 71918-done <at> debbugs.gnu.org (full text, mbox):
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> skribis:
>> -You can export keys from your default GPG keyring into a keybox file using
>> -commands like this one:
>> -
>> -@example
>> -gpg --export rms@@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx
>> -@end example
>> -
>> -Likewise, you can fetch keys to a specific keybox file like this:
>> +You can fetch keys to a specific keybox file like this:
>>
>> @example
>> gpg --no-default-keyring --keyring mykeyring.kbx \
>
> Sounds reasonable to me.
Finally applied, thanks!
This bug report was last modified 10 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.