| blob | 40feb44561645a3be7f4eb7b869e9017a2e41bba |
1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2010, 2011, 2013, 2014, 2016, 2018 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
4 ;;;
5 ;;; This file is part of GNU Guix.
6 ;;;
7 ;;; GNU Guix is free software; you can redistribute it and/or modify it
8 ;;; under the terms of the GNU General Public License as published by
9 ;;; the Free Software Foundation; either version 3 of the License, or (at
10 ;;; your option) any later version.
11 ;;;
12 ;;; GNU Guix is distributed in the hope that it will be useful, but
13 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
14 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 ;;; GNU General Public License for more details.
16 ;;;
17 ;;; You should have received a copy of the GNU General Public License
18 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
20 (define-module (guix gnupg)
21 #:use-module (ice-9 popen)
22 #:use-module (ice-9 match)
23 #:use-module (ice-9 regex)
24 #:use-module (ice-9 rdelim)
25 #:use-module (ice-9 i18n)
26 #:use-module (srfi srfi-1)
27 #:use-module (guix i18n)
28 #:use-module ((guix utils) #:select (config-directory))
29 #:use-module ((guix build utils) #:select (mkdir-p))
30 #:export (%gpg-command
31 %openpgp-key-server
32 current-keyring
33 gnupg-verify
34 gnupg-verify*
35 gnupg-status-good-signature?
36 gnupg-status-missing-key?))
38 ;;; Commentary:
39 ;;;
40 ;;; GnuPG interface.
41 ;;;
42 ;;; Code:
44 (define %gpg-command
45 ;; The GnuPG 2.x command-line program name.
46 (make-parameter (or (getenv "GUIX_GPG_COMMAND") "gpg")))
48 (define %gpgv-command
49 ;; The 'gpgv' program.
50 (make-parameter (or (getenv "GUIX_GPGV_COMMAND") "gpgv")))
52 (define current-keyring
53 ;; The default keyring of "trusted keys".
54 (make-parameter (string-append (config-directory #:ensure? #f)
55 "/gpg/trustedkeys.kbx")))
57 (define %openpgp-key-server
58 ;; The default key server. Note that keys.gnupg.net appears to be
59 ;; unreliable.
60 (make-parameter "pool.sks-keyservers.net"))
62 (define* (gnupg-verify sig file
63 #:optional (keyring (current-keyring)))
64 "Verify signature SIG for FILE against the keys in KEYRING. All the keys in
65 KEYRING as assumed to be \"trusted\", whether or not they expired or were
66 revoked. Return a status s-exp if GnuPG failed."
68 (define (status-line->sexp line)
69 ;; See file `doc/DETAILS' in GnuPG.
70 (define sigid-rx
71 (make-regexp
72 "^\\[GNUPG:\\] SIG_ID ([A-Za-z0-9+/]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+)"))
73 (define goodsig-rx
74 (make-regexp "^\\[GNUPG:\\] GOODSIG ([[:xdigit:]]+) (.+)$"))
75 (define validsig-rx
76 (make-regexp
77 "^\\[GNUPG:\\] VALIDSIG ([[:xdigit:]]+) ([[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}) ([[:digit:]]+) .*$"))
78 (define expkeysig-rx ; good signature, but expired key
79 (make-regexp "^\\[GNUPG:\\] EXPKEYSIG ([[:xdigit:]]+) (.*)$"))
80 (define errsig-rx
81 (make-regexp
82 "^\\[GNUPG:\\] ERRSIG ([[:xdigit:]]+) ([^ ]+) ([^ ]+) ([^ ]+) ([[:digit:]]+) ([[:digit:]]+)"))
84 (cond ((regexp-exec sigid-rx line)
85 =>
86 (lambda (match)
87 `(signature-id ,(match:substring match 1) ; sig id
88 ,(match:substring match 2) ; date
89 ,(string->number ; timestamp
90 (match:substring match 3)))))
91 ((regexp-exec goodsig-rx line)
92 =>
93 (lambda (match)
94 `(good-signature ,(match:substring match 1) ; key id
95 ,(match:substring match 2)))) ; user name
96 ((regexp-exec validsig-rx line)
97 =>
98 (lambda (match)
99 `(valid-signature ,(match:substring match 1) ; fingerprint
100 ,(match:substring match 2) ; sig creation date
101 ,(string->number ; timestamp
102 (match:substring match 3)))))
103 ((regexp-exec expkeysig-rx line)
104 =>
105 (lambda (match)
106 `(expired-key-signature ,(match:substring match 1) ; fingerprint
107 ,(match:substring match 2)))) ; user name
108 ((regexp-exec errsig-rx line)
109 =>
110 (lambda (match)
111 `(signature-error ,(match:substring match 1) ; key id or fingerprint
112 ,(match:substring match 2) ; pubkey algo
113 ,(match:substring match 3) ; hash algo
114 ,(match:substring match 4) ; sig class
115 ,(string->number ; timestamp
116 (match:substring match 5))
117 ,(let ((rc
118 (string->number ; return code
119 (match:substring match 6))))
120 (case rc
121 ((9) 'missing-key)
122 ((4) 'unknown-algorithm)
123 (else rc))))))
124 (else
125 `(unparsed-line ,line))))
127 (define (parse-status input)
128 (let loop ((line (read-line input))
129 (result '()))
130 (if (eof-object? line)
131 (reverse result)
132 (loop (read-line input)
133 (cons (status-line->sexp line) result)))))
135 (let* ((pipe (open-pipe* OPEN_READ (%gpgv-command) "--status-fd=1"
136 "--keyring" keyring sig file))
137 (status (parse-status pipe)))
138 ;; Ignore PIPE's exit status since STATUS above should contain all the
139 ;; info we need.
140 (close-pipe pipe)
141 status))
143 (define (gnupg-status-good-signature? status)
144 "If STATUS, as returned by `gnupg-verify', denotes a good signature, return
145 a key-id/user pair; return #f otherwise."
146 (any (lambda (sexp)
147 (match sexp
148 (((or 'good-signature 'expired-key-signature) key-id user)
149 (cons key-id user))
150 (_ #f)))
151 status))
153 (define (gnupg-status-missing-key? status)
154 "If STATUS denotes a missing-key error, then return the key-id of the
155 missing key."
156 (any (lambda (sexp)
157 (match sexp
158 (('signature-error key-id _ ...)
159 key-id)
160 (_ #f)))
161 status))
163 (define* (gnupg-receive-keys key-id server
164 #:optional (keyring (current-keyring)))
165 (unless (file-exists? keyring)
166 (mkdir-p (dirname keyring))
167 (call-with-output-file keyring (const #t))) ;create an empty keybox
169 (system* (%gpg-command) "--keyserver" server
170 "--no-default-keyring" "--keyring" keyring
171 "--recv-keys" key-id))
173 (define* (gnupg-verify* sig file
174 #:key
175 (key-download 'interactive)
176 (server (%openpgp-key-server))
177 (keyring (current-keyring)))
178 "Like `gnupg-verify', but try downloading the public key if it's missing.
179 Return #t if the signature was good, #f otherwise. KEY-DOWNLOAD specifies a
180 download policy for missing OpenPGP keys; allowed values: 'always', 'never',
181 and 'interactive' (default)."
182 (let ((status (gnupg-verify sig file)))
183 (or (gnupg-status-good-signature? status)
184 (let ((missing (gnupg-status-missing-key? status)))
185 (define (download-and-try-again)
186 ;; Download the missing key and try again.
187 (begin
188 (gnupg-receive-keys missing server keyring)
189 (gnupg-status-good-signature? (gnupg-verify sig file
190 keyring))))
192 (define (receive?)
193 (let ((answer
194 (begin
195 (format #t (G_ "Would you like to add this key \
196 to keyring '~a'?~%")
197 keyring)
198 (read-line))))
199 (string-match (locale-yes-regexp) answer)))
201 (and missing
202 (case key-download
203 ((never) #f)
204 ((always)
205 (download-and-try-again))
206 (else
207 (and (receive?)
208 (download-and-try-again)))))))))
210 ;;; gnupg.scm ends here