bartronx7/guix
1
0
Fork 0
mirror of https://codeberg.org/guix/guix.git synced 2026-01-25 03:55:08 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

archive: Make /etc/guix/signing-key.* readable by ‘guix-daemon’.

Browse source 
The manual suggests running ‘guix archive --generate-key’ as root, but that
would lead to root-owned /etc/guix/signing-key.{pub,sec}, with the secret key
unreadable by the unprivileged guix-daemon.  This fixes it.

Reported in guix/guix#4844.

* guix/scripts/archive.scm (generate-key-pair)[ensure-daemon-ownership]: New
procedure.
Use it for ‘%public-key-file’, ‘%private-key-file’, and their parent
directory.

Reported-by: Rutherther <rutherther@ditigal.xyz>
Change-Id: I7ae980bfd40078fb7ef27a193217b15f366d5d50
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Merges: #4958
This commit is contained in:
Ludovic Courtès 2025-12-19 08:34:28 +01:00
parent 0ac2a0fd18
commit f55793c575
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5
1 changed files with 18 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
guix/scripts/archive.scm
View file

@ -279,16 +279,33 @@ this may take time...~%"))
(error-source err) (error-source err)
(error-string err))))) (error-string err)))))
(public (find-sexp-token pair 'public-key)) (public (find-sexp-token pair 'public-key))
(secret (find-sexp-token pair 'private-key))) (secret (find-sexp-token pair 'private-key))
(store (stat (%store-prefix) #f)))
(define (ensure-daemon-ownership file)
;; Ensure FILE is readable by the daemon, by changing ownership either
;; to root or to the owner of the store.
(when store
(chown file
(stat:uid store)
(match (stat:uid store)
;; When the store is root-owned, use 0 as the GID for the
;; keys (the store's GID is usually that of 'guixbuild').
(0 0)
(_ (stat:gid store))))))
;; Create the following files as #o400. ;; Create the following files as #o400.
(umask #o266) (umask #o266)
(mkdir-p (dirname %public-key-file)) (mkdir-p (dirname %public-key-file))
(ensure-daemon-ownership (dirname %public-key-file))
(with-atomic-file-output %public-key-file (with-atomic-file-output %public-key-file
(lambda (port) (lambda (port)
(ensure-daemon-ownership port)
(display (canonical-sexp->string public) port))) (display (canonical-sexp->string public) port)))
(with-atomic-file-output %private-key-file (with-atomic-file-output %private-key-file
(lambda (port) (lambda (port)
(ensure-daemon-ownership port)
(display (canonical-sexp->string secret) port))) (display (canonical-sexp->string secret) port)))
;; Make the public key readable by everyone. ;; Make the public key readable by everyone.