From fa3d9c4db4407cebf9bdb2e251595bd25193c95e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Tue, 21 Jul 2020 12:30:24 +0200 Subject: [PATCH] upstream: 'download-tarball' gracefully handles missing signatures. This avoids a backtrace with "guix refresh -u rdiff-backup", which has ".asc" signatures instead of ".sig". * guix/upstream.scm (download-tarball): Gracefully handle the case where SIG is false. * guix/gnu-maintenance.scm (latest-savannah-release): Add comment about 'file->signature'. --- guix/gnu-maintenance.scm | 3 +++ guix/upstream.scm | 9 ++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/guix/gnu-maintenance.scm b/guix/gnu-maintenance.scm index 2a4d94dbb0..cd7109002b 100644 --- a/guix/gnu-maintenance.scm +++ b/guix/gnu-maintenance.scm @@ -650,6 +650,9 @@ (define (latest-savannah-release package) (directory (dirname (uri-path uri))) (rewrite (url-prefix-rewrite %savannah-base "mirror://savannah"))) + ;; Note: We use the default 'file->signature', which adds ".sig", but not + ;; all projects on Savannah follow that convention: some use ".asc" and + ;; perhaps some lack signatures altogether. (and=> (latest-html-release package #:base-url %savannah-base #:directory directory) diff --git a/guix/upstream.scm b/guix/upstream.scm index 6a57bad710..70cbfb45e8 100644 --- a/guix/upstream.scm +++ b/guix/upstream.scm @@ -326,10 +326,17 @@ (define* (download-tarball store url signature-url (built-derivations (list drv)) (return (derivation->output-path drv)))))))) (let-values (((status data) - (gnupg-verify* sig data #:key-download key-download))) + (if sig + (gnupg-verify* sig data + #:key-download key-download) + (values 'missing-signature data)))) (match status ('valid-signature tarball) + ('missing-signature + (warning (G_ "failed to download detached signature from ~a~%") + signature-url) + #f) ('invalid-signature (warning (G_ "signature verification failed for '~a' (key: ~a)~%") url data)