This reverts commit a7db92d9b3, this time with
the more careful command, to avoid a world rebuild:
grep -rl --exclude-dir=build --exclude-dir=patches --exclude=ld-wrapper.in \
--exclude=sitecustomize.py --exclude=guix-emacs.el maxim.cournoyer@gmail.com |
xargs sed -i 's/maxim.cournoyer@gmail.com/maxim@guixotic.coop/g'
Change-Id: I0871f5cf9ace79e34e78e24154d0da6ea95a3a91
The change was automated via:
git grep -l maxim.cournoyer@gmail.com |
xargs sed -i 's/maxim.cournoyer@gmail.com/maxim@guixotic.coop/g'
* .mailmap: New entry.
Change-Id: Iaa88b1e51c94159c49138fb43910badb990eb169
Previously to this change, the 'guix refresh' download
policy (--key-download)would default to 'interactive', which would throw a
backtrace when guix was invoked with its stdin not connected to a peusdo
terminal (tty). This change makes the new default value 'auto' use
interactive only in an interactive environment, with 'always' used as
fallback.
* doc/guix.texi (Invoking guix refresh): Adjust doc.
* etc/completion/fish/guix.fish: Adjust accordingly.
* etc/completion/zsh/_guix (_guix_list_installed_packages): Likewise.
* guix/gnupg.scm (gnupg-verify*): Change default #:key-download argument value
to 'auto. Update doc. Validate argument. Raise an error in case read-line
returns #<eof>.
* guix/import/gnu.scm (gnu-package->sexp): <#:key-download>: Change default
value to 'auto.
* guix/import/gnu.scm (gnu->guix-package): <#:key-download>: Likewise.
* guix/scripts/import/gnu.scm (%options): Add "auto" to accepted
--key-download values.
(%default-options): Set default key-download option to the 'auto value.
(show-help): Update doc.
* guix/scripts/refresh.scm (show-help): Update doc.
(update-package) <#:key-download>: Change default value to 'auto. Update doc.
* guix/upstream.scm (download-tarball): <#:key-download>: Likewise.
(package-update): Likewise.
Change-Id: Id1ca8fd6d453ca4bc5b372534445e3beab9133a8
Fixes: https://issues.guix.gnu.org/76112
Reviewed-by: Ludovic Courtès <ludo@gnu.org>
The previous default "pool.sks-keyservers.net" doesn't seem to work anymore;
besides, users know best.
* guix/gnupg.scm (%openpgp-key-server): Default to #f, meaning not provided.
(gnupg-receive-keys): Make SERVER and KEYRING keyword arguments. Adjust doc.
Provide the '--keyserver' argument only when %openpgp-key-server is not #f.
(gnupg-verify*): Do not set a default value for SERVER. Adjust accordingly.
I (nckx) have revoked all RSA subkeys, in favour of my older and
freshly-refreshed ECDSA ones. This was merely a precaution: to my
knowledge all my RSA private keys have been carefully destroyed and
were never compromised. This commit keeps ‘make authenticate’ happy.
* guix/gnupg.scm (revkeysig-rx): New variable for revoked keys.
(gnupg-verify): Parse it.
(gnupg-status-good-signature?): Accept it as ‘good’ for our purposes.
* build-aux/git-authenticate.scm (%committers): Clarify nckx's subkeys.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This allows callers to distinguish between signature verification
failure and missing key.
* guix/gnupg.scm (gnupg-receive-keys): Return true on success.
(gnupg-verify*): Check return value of 'gnupg-receive-keys'. Return two
values, the first one being a symbol.
* guix/upstream.scm (download-tarball): Get the two return values of
'gnupg-verify*', and match on the first one.
* gnu/packages/bash.scm (download-patches): Check the first return value
of 'gnupg-verify*'.
This halves the run time on a large number of subsequent 'gnupg-verify'
calls.
* guix/gnupg.scm (sigid-rx, goodsig-rx, validsig-rx, expkeysig-rx)
(errsig-rx): New variables, lifted from...
(gnupg-verify)[status-line->sexp]: ... here.
Until then, 'gnupg-status-missing-key?' would return a key id. Its
user, 'gnupg-verify*', would then fetch a key with that ID from key
servers, thus possibly the wrong key (due to key ID collisions). If it
did fetch the wrong key, the effect would be a signature verification
failure down the path--e.g., in "guix refresh -u".
* guix/gnupg.scm (gnupg-verify)[maybe-fingerprint]: New procedure.
[status-line->sexp](errsig-rx): Add parenthetical expression at the end.
Fetch it and add it to the 'signature-error' sexp.
(gnupg-status-missing-key?): Match the whole 'signature-error' sexp and
return preferably the fingerprint rather than KEY-ID.
(gnupg-receive-keys): Rename 'key-id' parameter to 'fingerprint/key-id'.
Returning a key ID was inconsequential because the only user of
'gnupg-status-good-signature?', (guix upstream) (via 'gnupg-verify*'),
would not check the return value as long as it's true.
* guix/gnupg.scm (gnupg-status-good-signature?): Return a
fingerprint/user pair instead of key-id/user.
(gnupg-verify*): Mention it in docstring.
* guix/gnupg.scm (%gpgv-command, current-keyring): New variables
(gnupg-verify): Add optional 'keyring' parameter. Use 'gpgv' instead of
'gpg' and pass it '--keyring'.
(gnupg-receive-keys): Add optional 'keyring' parameter and honor it.
(gnupg-verify*): Add #:keyring and honor it.
* guix/scripts/refresh.scm (%options, show-help): Add '--keyring'.
(guix-refresh): Parameterize CURRENT-KEYRING.
* doc/guix.texi (Invoking guix refresh): Document '--keyring' and the
keybox format.
* guix/gnu-maintenance.scm (download-tarball): Add a 'key-download'
keyword argument and pass it to 'gnupg-verify*'. Make
'archive-type' a keyword argument.
(package-update): Add a 'key-download' keyword argument. Pass
'archive-type' and 'key-download' keyword arguments to
'download-tarball'.
* guix/gnupg.scm: Import (ice-9 i18n) and (guix ui).
(gnupg-verify*): Add a 'key-download' keyword argument and adjust
'gnupg-verify*' to use it. Make 'server' a keyword argument.
* guix/scripts/refresh.scm (show-help, %options): Add and document
'--key-download'.
(update-package): Add a 'key-download' keyword argument and pass it
to 'package-update'.
(guix-refresh): Pass 'key-download' to 'update-package'. Limit
lines to a maximum of 79 characters.
* guix/gnupg.scm (%gpg-command): Turn into a SRFI-39 parameter.
(%openpgp-key-server): Likewise. Default to pgp.mit.edu, as
keys.gnupg.net is unreliable.
Update users.
