GNU bug report logs - #71918
[DOCUMENTATION] the suggested key import method for `guix refresh` doesn't work

Previous Next

Package: guix;

Reported by: Attila Lendvai <attila <at> lendvai.name>

Date: Wed, 3 Jul 2024 14:49:02 UTC

Severity: normal

To reply to this bug, email your comments to 71918 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#71918; Package guix. (Wed, 03 Jul 2024 14:49:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Attila Lendvai <attila <at> lendvai.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 03 Jul 2024 14:49:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Attila Lendvai <attila <at> lendvai.name>
To: "bug-guix <at> gnu.org" <bug-guix <at> gnu.org>
Subject: [DOCUMENTATION] the suggested key import method for `guix refresh`
 doesn't work
Date: Wed, 03 Jul 2024 14:48:36 +0000

context:
--------

i was trying to:

$ ./pre-inst-env guix refresh --update dropbear

but the key is not imported, because "no user ID". apparently some keyservers drop the user id for privacy reasons.


the problem:
------------

then i went to the manual, and it suggests:

$ gpg --export rms <at> gnu.org | kbxutil --import-openpgp >> mykeyring.kbx

and i ran:

$ curl https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc | gpg --import
$ gpg --export F7347EF2EE2E07A267628CA944931494F29C6773 | kbxutil --import-openpgp >>~/.config/guix/upstream/trustedkeys.kbx

it ran without errors, but when i tried to guix refresh it failed with:

gpgv: [don't know]: invalid packet (ctb=00)

i double checked, and made sure the trustedkeys.kbx was empty prior to running the above.


analysis:
---------

i ran the following after guix refresh has successfully imported the key:

$ gpg --export F7347EF2EE2E07A267628CA944931494F29C6773 | kbxutil --import-openpgp >x
$ file x
x: data
$ file ~/.config/guix/upstream/trustedkeys.kbx
/home/user/.config/guix/upstream/trustedkeys.kbx: OpenPGP Public Key Version 4, Created Mon Jun 29 12:53:01 2015, RSA (Encrypt or Sign, 4096 bits)
$ ll x
-rw-r--r-- 1 user users 1883 Jul  3 16:41 x
$ ll ~/.config/guix/upstream/trustedkeys.kbx
-rw-r--r-- 1 user users 1208 Jul  3 16:18 /home/user/.config/guix/upstream/trustedkeys.kbx

i.e. what the manual suggests results in a different file format than what guix refresh creates/expects.


workaround:
-----------

in the end i cleared the trustedkeys.kbx file, and i used another keyserver that doesn't strip the ID:

./pre-inst-env guix refresh --key-server="hkps://keyserver.ubuntu.com" --update dropbear

--
• attila lendvai
• PGP: 963F 5D5F 45C7 DFCD 0A39
--
“Good people don’t need laws to tell them to act responsibly, and bad people will find a way around the laws.”
	— Plato (c. 427–347 BC)
Information forwarded to bug-guix <at> gnu.org:
bug#71918; Package guix. (Wed, 24 Jul 2024 21:45:02 GMT) Full text and rfc822 format available.

Message #8 received at 71918 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Attila Lendvai <attila <at> lendvai.name>
Cc: 71918 <at> debbugs.gnu.org
Subject: Re: bug#71918: [DOCUMENTATION] the suggested key import method for
 `guix refresh` doesn't work
Date: Wed, 24 Jul 2024 23:44:02 +0200

[Message part 1 (text/plain, inline)]
Hi,

Attila Lendvai <attila <at> lendvai.name> skribis:

> i was trying to:
>
> $ ./pre-inst-env guix refresh --update dropbear
>
> but the key is not imported, because "no user ID". apparently some keyservers drop the user id for privacy reasons.

Yes, that’s the case of keys.openpgp.org, unless the user explicitly
consented to publishing user ID packets:

  https://keys.openpgp.org/about

> then i went to the manual, and it suggests:
> 
> $ gpg --export rms <at> gnu.org | kbxutil --import-openpgp >> mykeyring.kbx

[...]

> i.e. what the manual suggests results in a different file format than what guix refresh creates/expects.

Ouch.  (I’m pretty sure I tested it back then, maybe something changed?)

Since that part is not so useful anyway, how about dropping the now
incorrect bit about kbxutil, like so:


[Message part 2 (text/x-patch, inline)]
diff --git a/doc/guix.texi b/doc/guix.texi
index 9ba96af459..7323931bad 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -15050,14 +15050,7 @@ Invoking guix refresh
 missing keys are downloaded to this keyring as well (see
 @option{--key-download} below).
 
-You can export keys from your default GPG keyring into a keybox file using
-commands like this one:
-
-@example
-gpg --export rms@@gnu.org | kbxutil --import-openpgp >> mykeyring.kbx
-@end example
-
-Likewise, you can fetch keys to a specific keybox file like this:
+You can fetch keys to a specific keybox file like this:
 
 @example
 gpg --no-default-keyring --keyring mykeyring.kbx \

[Message part 3 (text/plain, inline)]
?

Thanks,
Ludo’.
This bug report was last modified 125 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.