From f55793c575fcf8667d52e0b458fee62ef0d69d0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Fri, 19 Dec 2025 08:34:28 +0100 Subject: [PATCH] =?UTF-8?q?archive:=20Make=20/etc/guix/signing-key.*=20rea?= =?UTF-8?q?dable=20by=20=E2=80=98guix-daemon=E2=80=99.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The manual suggests running ‘guix archive --generate-key’ as root, but that would lead to root-owned /etc/guix/signing-key.{pub,sec}, with the secret key unreadable by the unprivileged guix-daemon. This fixes it. Reported in guix/guix#4844. * guix/scripts/archive.scm (generate-key-pair)[ensure-daemon-ownership]: New procedure. Use it for ‘%public-key-file’, ‘%private-key-file’, and their parent directory. Reported-by: Rutherther Change-Id: I7ae980bfd40078fb7ef27a193217b15f366d5d50 Signed-off-by: Ludovic Courtès Merges: #4958 --- guix/scripts/archive.scm | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/guix/scripts/archive.scm b/guix/scripts/archive.scm index cf2c045c2e5..febd46f4580 100644 --- a/guix/scripts/archive.scm +++ b/guix/scripts/archive.scm @@ -279,16 +279,33 @@ this may take time...~%")) (error-source err) (error-string err))))) (public (find-sexp-token pair 'public-key)) - (secret (find-sexp-token pair 'private-key))) + (secret (find-sexp-token pair 'private-key)) + (store (stat (%store-prefix) #f))) + (define (ensure-daemon-ownership file) + ;; Ensure FILE is readable by the daemon, by changing ownership either + ;; to root or to the owner of the store. + (when store + (chown file + (stat:uid store) + (match (stat:uid store) + ;; When the store is root-owned, use 0 as the GID for the + ;; keys (the store's GID is usually that of 'guixbuild'). + (0 0) + (_ (stat:gid store)))))) + ;; Create the following files as #o400. (umask #o266) (mkdir-p (dirname %public-key-file)) + (ensure-daemon-ownership (dirname %public-key-file)) + (with-atomic-file-output %public-key-file (lambda (port) + (ensure-daemon-ownership port) (display (canonical-sexp->string public) port))) (with-atomic-file-output %private-key-file (lambda (port) + (ensure-daemon-ownership port) (display (canonical-sexp->string secret) port))) ;; Make the public key readable by everyone.