diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2025-12-19 08:34:28 +0100 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2025-12-22 15:11:27 +0100 |
| commit | f55793c575fcf8667d52e0b458fee62ef0d69d0c (patch) | |
| tree | 4a60fc270ed39c2ea48e699e208bc9d9375ef096 | |
| parent | 0ac2a0fd1813fb5c04b22f6443d8f8a96d3c9645 (diff) | |
archive: Make /etc/guix/signing-key.* readable by ‘guix-daemon’.
The manual suggests running ‘guix archive --generate-key’ as root, but that
would lead to root-owned /etc/guix/signing-key.{pub,sec}, with the secret key
unreadable by the unprivileged guix-daemon. This fixes it.
Reported in guix/guix#4844.
* guix/scripts/archive.scm (generate-key-pair)[ensure-daemon-ownership]: New
procedure.
Use it for ‘%public-key-file’, ‘%private-key-file’, and their parent
directory.
Reported-by: Rutherther <rutherther@ditigal.xyz>
Change-Id: I7ae980bfd40078fb7ef27a193217b15f366d5d50
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Merges: #4958
| -rw-r--r-- | guix/scripts/archive.scm | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/guix/scripts/archive.scm b/guix/scripts/archive.scm index cf2c045c2e5..febd46f4580 100644 --- a/guix/scripts/archive.scm +++ b/guix/scripts/archive.scm @@ -279,16 +279,33 @@ this may take time...~%")) (error-source err) (error-string err))))) (public (find-sexp-token pair 'public-key)) - (secret (find-sexp-token pair 'private-key))) + (secret (find-sexp-token pair 'private-key)) + (store (stat (%store-prefix) #f))) + (define (ensure-daemon-ownership file) + ;; Ensure FILE is readable by the daemon, by changing ownership either + ;; to root or to the owner of the store. + (when store + (chown file + (stat:uid store) + (match (stat:uid store) + ;; When the store is root-owned, use 0 as the GID for the + ;; keys (the store's GID is usually that of 'guixbuild'). + (0 0) + (_ (stat:gid store)))))) + ;; Create the following files as #o400. (umask #o266) (mkdir-p (dirname %public-key-file)) + (ensure-daemon-ownership (dirname %public-key-file)) + (with-atomic-file-output %public-key-file (lambda (port) + (ensure-daemon-ownership port) (display (canonical-sexp->string public) port))) (with-atomic-file-output %private-key-file (lambda (port) + (ensure-daemon-ownership port) (display (canonical-sexp->string secret) port))) ;; Make the public key readable by everyone. |