[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#43650] [PATCH 5/8] services: guix: Generate key pair if needed duri
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#43650] [PATCH 5/8] services: guix: Generate key pair if needed during activation. |
|
Date: |
Sun, 27 Sep 2020 17:32:18 +0200 |
* gnu/services/base.scm (guix-activation): Invoke "guix archive
--generate-key".
* doc/guix.texi (Invoking guix archive)
(Invoking guix deploy): Mention that 'guix-service-type' takes care of
generating the key pair.
---
doc/guix.texi | 11 +++++++----
gnu/services/base.scm | 13 +++++++++----
2 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 82241b010a..885f7fcf97 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -5048,9 +5048,11 @@ the store.
@item --generate-key[=@var{parameters}]
@cindex signing, archives
Generate a new key pair for the daemon. This is a prerequisite before
-archives can be exported with @option{--export}. Note that this
-operation usually takes time, because it needs to gather enough entropy
-to generate the key pair.
+archives can be exported with @option{--export}. This
+operation is usually instantaneous but it can take time if the system's
+entropy pool needs to be refilled. On Guix System,
+@code{guix-service-type} takes care of generating this key pair the
+first boot.
The generated key pair is typically stored under @file{/etc/guix}, in
@file{signing-key.pub} (public key) and @file{signing-key.sec} (private
@@ -29531,7 +29533,8 @@ a Virtual Private Server (VPS) provider. In such a
case, a different
Do note that you first need to generate a key pair on the coordinator machine
to allow the daemon to export signed archives of files from the store
-(@pxref{Invoking guix archive}).
+(@pxref{Invoking guix archive}), though this step is automatic on Guix
+System:
@example
# guix archive --generate-key
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index bef4eef241..04bc991356 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1653,10 +1653,15 @@ proxy of 'guix-daemon'...~%")
;; otherwise call 'chown' here, but the problem is that on a COW
overlayfs,
;; chown leads to an entire copy of the tree, which is a bad idea.
- ;; Optionally authorize substitute server keys.
- (if authorize-key?
- (substitute-key-authorization keys guix)
- #~#f))))
+ ;; Generate a key pair and optionally authorize substitute server keys.
+ #~(begin
+ (unless (file-exists? "/etc/guix/signing-key.pub")
+ (system* #$(file-append guix "/bin/guix") "archive"
+ "--generate-key"))
+
+ #$(if authorize-key?
+ (substitute-key-authorization keys guix)
+ #~#f)))))
(define* (references-file item #:optional (name "references"))
"Return a file that contains the list of references of ITEM."
--
2.28.0
[bug#43650] [PATCH 5/8] services: guix: Generate key pair if needed during activation.,
Ludovic Courtès <=
[bug#43650] [PATCH 6/8] services: hurd-vm: Initialize the guest's SSH/Guix keys at activation time., Ludovic Courtès, 2020/09/27
[bug#43650] [PATCH 7/8] services: hurd-vm: Pass "-no-reboot" when spawning the Hurd VM., Ludovic Courtès, 2020/09/27
[bug#43650] [PATCH 8/8] secret-service: Add a timeout when waiting for a client., Ludovic Courtès, 2020/09/27
[bug#43650] [PATCH 1/8] services: hurd-vm: Run QEMU as an unprivileged user., Jan Nieuwenhuizen, 2020/09/28
[bug#43650] [PATCH 0/8] Assorted childhurd improvements, Jan Nieuwenhuizen, 2020/09/28