archive: Make /etc/guix/signing-key.* readable by ‘guix-daemon’.

The manual suggests running ‘guix archive --generate-key’ as root, but that would lead to root-owned /etc/guix/signing-key.{pub,sec}, with the secret key unreadable by the unprivileged guix-daemon. This fixes it. Reported in guix/guix#4844. * guix/scripts/archive.scm (generate-key-pair)[ensure-daemon-ownership]: New procedure. Use it for ‘%public-key-file’, ‘%private-key-file’, and their parent directory. Reported-by: Rutherther <rutherther@ditigal.xyz> Change-Id: I7ae980bfd40078fb7ef27a193217b15f366d5d50 Signed-off-by: Ludovic Courtès <ludo@gnu.org> Merges: #4958
2026-01-25 03:55:08 -06:00 · 2025-12-19 08:34:28 +01:00 · 2025-12-19 08:34:28 +01:00 · f55793c575
commit f55793c575
parent 0ac2a0fd18
1 changed files with 18 additions and 1 deletions
--- a/guix/scripts/archive.scm
+++ b/guix/scripts/archive.scm
@ -279,16 +279,33 @@ this may take time...~%"))
                            (error-source err)
                            (error-string err)))))
         (public (find-sexp-token pair 'public-key))
-         (secret (find-sexp-token pair 'private-key)))
+         (secret (find-sexp-token pair 'private-key))
+         (store  (stat (%store-prefix) #f)))
+    (define (ensure-daemon-ownership file)
+      ;; Ensure FILE is readable by the daemon, by changing ownership either
+      ;; to root or to the owner of the store.
+      (when store
+        (chown file
+               (stat:uid store)
+               (match (stat:uid store)
+                 ;; When the store is root-owned, use 0 as the GID for the
+                 ;; keys (the store's GID is usually that of 'guixbuild').
+                 (0 0)
+                 (_ (stat:gid store))))))
+
    ;; Create the following files as #o400.
    (umask #o266)

    (mkdir-p (dirname %public-key-file))
+    (ensure-daemon-ownership (dirname %public-key-file))
+
    (with-atomic-file-output %public-key-file
      (lambda (port)
+        (ensure-daemon-ownership port)
        (display (canonical-sexp->string public) port)))
    (with-atomic-file-output %private-key-file
      (lambda (port)
+        (ensure-daemon-ownership port)
        (display (canonical-sexp->string secret) port)))

    ;; Make the public key readable by everyone.