guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Finding a “good” OpenPGP key server

From: Tanguy LE CARROUR
Subject: Re: Finding a “good” OpenPGP key server
Date: Thu, 21 Apr 2022 19:15:33 +0200
User-agent: alot/0.10 
Hi Ludo’,

Thanks for updating the topic! :-)


Quoting Ludovic Courtès (2022-04-18 22:24:00)
> Tanguy LE CARROUR <tanguy@bioneland.org> skribis:
> 
> > $ ./pre-inst-env guix refresh -u gnurl
> >
> > Starting download of /tmp/guix-file.NqJa4t
> > From https://ftpmirror.gnu.org/gnu/gnunet/gnurl-7.72.0.tar.gz...
> > following redirection to 
> > `https://mirrors.ocf.berkeley.edu/gnu/gnunet/gnurl-7.72.0.tar.gz'...
> >  …2.0.tar.gz  3.3MiB                  3.1MiB/s 00:01 [##################] 
> > 100.0%
> >
> > Starting download of /tmp/guix-file.VXn0IS
> > From https://ftpmirror.gnu.org/gnu/gnunet/gnurl-7.72.0.tar.gz.sig...
> > following redirection to 
> > `https://mirrors.ocf.berkeley.edu/gnu/gnunet/gnurl-7.72.0.tar.gz.sig'...
> >  …0.tar.gz.sig  833B                  654KiB/s 00:00 [##################] 
> > 100.0%
> > gpgv: Signature made Wed 16 Sep 2020 22:30:16 CEST
> > gpgv:                using RSA key 6115012DEA3026F62A98A556D6B570842F7E7F8D
> > gpgv: Can't check signature: No public key
> > Would you like to add this key to keyring 
> > '/home/tanguy/.config/guix/upstream/trustedkeys.kbx'?
> > yes
> > gpg: keyserver receive failed: No data
> 
> This indicates that ‘guix refresh’ failed to download the relevant GPG
> key from the default key server, the one that appears in
> ~/.gnupg/dirmngr.conf (if it exists).
> 
> That’s unfortunately often the case these days.  :-/ This key appears to
> be on keys.openpgp.org, but it lacks a “user ID” packet and so gpg
> ignores it (for no good reason):
> 
> --8<---------------cut here---------------start------------->8---
> $ gpg --no-default-keyring --keyring 
> /home/ludo/.config/guix/upstream/trustedkeys.kbx --keyserver keys.openpgp.org 
> --recv-keys 6115012DEA3026F62A98A556D6B570842F7E7F8D
> gpg: key D6B570842F7E7F8D: no user ID
> gpg: Total number processed: 1
> $ gpg --no-default-keyring --keyring 
> /home/ludo/.config/guix/upstream/trustedkeys.kbx --list-keys 
> 6115012DEA3026F62A98A556D6B570842F7E7F8D
> gpg: error reading key: No public key
> --8<---------------cut here---------------end--------------->8---
> 
> I’m not sure what a good solution is (other than looking for the key
> manually on Savannah or on some random key server).

Sorry it took me so long to answer!

Actually, Nikita answered this question on a thread on GNUnet's mailing list:

https://lists.gnu.org/archive/html/gnunet-developers/2022-04/msg00030.html

The end of the discussion is off list. The key used to
sign the package is deprecated and not to be used any more/any where.

The proper solution should come from GNUnet, but maybe, we could bypass
the key verification in Guix. Or, I could clone the repo, claim
ownership and sign a new package myself. But that doesn't look like a
good/fair solution to me! Thoughts?!

Regards,

-- 
Tanguy
reply via email to
[Prev in Thread] Current Thread [Next in Thread]