gpg: fix correctly setting trust for all keys

When passing `gpg.publicKeys` a `source` including _multiple_ keys, only the first one in `source` will have `trust` set correctly. This commit fixes the issue and adds a corresponding test (failing without the patch, fixed with it).
2025-11-08 19:46:05 +01:00 · 2025-11-03 00:37:06 +00:00 · 2025-11-03 00:37:06 +00:00 · 95d65dddae
commit 95d65dddae
parent a5fee07792
4 changed files with 108 additions and 1 deletions
--- a/tests/modules/programs/gpg/default.nix
+++ b/tests/modules/programs/gpg/default.nix
@ -1,5 +1,6 @@
 {
  gpg-immutable-keyfiles = ./immutable-keyfiles.nix;
  gpg-mutable-keyfiles = ./mutable-keyfiles.nix;
+  gpg-multiple-keys-trust = ./multiple-keys-trust.nix;
  gpg-override-defaults = ./override-defaults.nix;
 }
--- a/tests/modules/programs/gpg/multiple-keys-trust.nix
+++ b/tests/modules/programs/gpg/multiple-keys-trust.nix
@ -0,0 +1,61 @@
+{ realPkgs, ... }:
+
+{
+  programs.gpg = {
+    enable = true;
+    package = realPkgs.gnupg;
+
+    mutableKeys = false;
+    mutableTrust = false;
+
+    publicKeys = [
+      {
+        # This file contains three public keys
+        # The bug causes only the first key to have trust set
+        source = ./test-keys/multiple-keys.asc;
+        trust = "ultimate"; # trust level 5
+      }
+    ];
+  };
+
+  nmt.script = ''
+    assertFileNotRegex activate "^export GNUPGHOME=/home/hm-user/.gnupg$"
+
+    assertFileRegex activate \
+      '^install -m 0700 /nix/store/[0-9a-z]*-gpg-pubring/trustdb.gpg "/home/hm-user/.gnupg/trustdb.gpg"$'
+
+    # Setup GPGHOME
+    export GNUPGHOME=$(mktemp -d)
+    cp -r $TESTED/home-files/.gnupg/* $GNUPGHOME
+    TRUSTDB=$(grep -o '/nix/store/[0-9a-z]*-gpg-pubring/trustdb.gpg' $TESTED/activate)
+    install -m 0700 $TRUSTDB $GNUPGHOME/trustdb.gpg
+
+    # Export Trust
+    export WORKDIR=$(mktemp -d)
+    ${realPkgs.gnupg}/bin/gpg -q --export-ownertrust > $WORKDIR/gpgtrust.txt
+
+    echo "=== Trust database contents ==="
+    cat $WORKDIR/gpgtrust.txt
+    echo "=== End of trust database ==="
+
+    # The test file contains three keys:
+    # - 13B06D9193E01E0F (Test User One) - fingerprint: B07502E7B7ED0A4AA3BF191913B06D9193E01E0F
+    # - 42E7B990011430DE (Test User Two) - fingerprint: 6A2A713AE7F93C8EA6D264B642E7B990011430DE
+    # - DFC825F8209CE742 (Test User Three) - fingerprint: E66D263DC7174345AB102829DFC825F8209CE742
+    #
+    # All three keys should have ultimate trust (level 6 in ownertrust format)
+    # Due to the bug in importTrust function, only the first key gets trust set
+
+    # Check that first key has ultimate trust (this works with current code)
+    assertFileRegex $WORKDIR/gpgtrust.txt \
+      '^B07502E7B7ED0A4AA3BF191913B06D9193E01E0F:6:$'
+
+    # Check that second key has ultimate trust (this FAILS due to bug)
+    assertFileRegex $WORKDIR/gpgtrust.txt \
+      '^6A2A713AE7F93C8EA6D264B642E7B990011430DE:6:$'
+
+    # Check that third key has ultimate trust (this FAILS due to bug)
+    assertFileRegex $WORKDIR/gpgtrust.txt \
+      '^E66D263DC7174345AB102829DFC825F8209CE742:6:$'
+  '';
+}
--- a/tests/modules/programs/gpg/test-keys/multiple-keys.asc
+++ b/tests/modules/programs/gpg/test-keys/multiple-keys.asc
@ -0,0 +1,45 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBGkHy/oBCADC4NT6P4eiOv1f9g8mhdLQlexO4Pefh33EicybD4tnlZZGVzYT
+2J75slIGFV9+AOX/TXsws7+0IaZYB94a3p1NKoWeYh4XZy0HQ2HRJjNWeLQ41lFC
+dCQ4A0JuqCurMFFdph59Xlh4ko3SXmPwNqXEmNX8LQlIDRNk+RiW+gJ4OC8DV6Do
+YexeQHrHxtdGrStFmEygEAB5K1xqLRrzETvPubEmPEcrvhT/7W1+TwCb/haKo+Is
+OgFcaJFv7CR6EbYh3DNZa4Zrd/WpNAL8+Kmz89VTdw0qaSYJxV9uR4DdmgX+2tAv
+WmLuTuPMabU599p9nRUqk1Pj5fit6octCxX9ABEBAAG0IVRlc3QgVXNlciBPbmUg
+PHRlc3QxQGV4YW1wbGUuY29tPokBTwQTAQoAORYhBLB1Aue37QpKo78ZGROwbZGT
+4B4PBQJpB8v6AxsvBAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRATsG2Rk+Ae
+D54fB/9EN7IjdwARheioFsZlifda5t31l084eYsq9kLzjCrxCXNlDZEIi6QrNBBA
+CDZyv5bM+JLrZPbZ/1J1caoB6W9+ARPLiERWMhql7JNWSS/4Yhf/L0aD0C3pJFJf
+h3bcSxhAzXBL3857cELR88UeV7NHPNdJsKVX0h7r1xe1D1oGZd19qbyZx3FJLzH8
+p01ZkLoKdKAh42x+XN6KrOWGWFyvLX56pXjp9mjero2iDpUlBdIV15CFJ+aoVI3B
+KG26z4B7/L8kQVO2eH41k/i39u9SuvuCinYcNQ/5/blpaIc7xqL5jI1gapzE4bBu
+GzGOKJoWRgGJDUZzyvTtxbI/nsK6mQENBGkHy/oBCADHGrIJ1uTGWJvSt+2pmqxK
+ruXQvVxQva3GbYIgePQa88PzhORYTnuskEdOhNhMTaxKWbxS1bfDXf3Akjis+kHb
+xLK692XtKFf88ALV6ts0Rd4YRG6BCcwMPAfFuQhyQRxclNk5XHzaH6IvKvmrSkvG
+wilLkrdj9hW32FvVYDyjdiDSbvs05d8EfRr7UF/fMQC5HOJJ6VSC7HJ7tQGWvtNG
+eyr/I61OSDxhf6PF5CfuepajO0nzsVHvsXTxoJwYbx+zXSlGxTsHWYxp6r0MdPE/
+vCNmvrfpz4PoTiE43Xa3XsYSO2gRCpMYJKQaxl5pCfBGSmKpCF1YDBSTrRYyacyv
+ABEBAAG0IVRlc3QgVXNlciBUd28gPHRlc3QyQGV4YW1wbGUuY29tPokBTwQTAQoA
+ORYhBGoqcTrn+TyOptJktkLnuZABFDDeBQJpB8v6AxsvBAULCQgHAgYVCgkICwIE
+FgIDAQIeAQIXgAAKCRBC57mQARQw3nIGB/9/j1SIk+DxmCeT2fihQmS7lubDoq1I
+FUdjb7cAGBs4KAmJh8MVMsYyB+EtaVC8qu4C5EgNNV0+c2H8UishGcZvMm9Qg7LQ
+MTSGKLwXikaiIvyw3zlh1FpJn2rYUSvCplVswhF/dfSlenmU81eiPigYsvzVoa8h
+xJNn01DLu4cd2VsBhWW/2w3DKSvVHRPdlPTPrqkjzMQRy2ULa2yTWiiuxWJxHuj0
+3ocvLGlpyyvIwyoFVG4Lex4r+jSL3RCllEUjADAMgDPfhoTEerfgORCVEqGE/JLR
+MVrTl6bMuodGehXgCRalcg9ChUADBHS4fZ0NiH46QhTblwRRFc2K6WbzmQENBGkH
+y/oBCADAzZTgBmulUSr29gmBELA1gpMNHZ3J/2R3mTXMFaZAsi84uCZNyLLrDhU4
+WaXVRURlwY4eHdvIMc3IM846s0SkLKDy3cIbusQK9NDVS/69LRyKNiZMjEbpODZl
+fT5AtQUOL1jAIxy/wVEKzqih0so6mfNCwKFshWyi4p2+E8dFT8apTvhwJkdpptb6
+q8Q1ABx+NRE1iSK+lFUw7xD7lLDvUYcHn6glpEMIGjg3/BLF74nVYFe6rCuFKgNt
+GHLk1ZjoldbQRmTxdaKkb6vmfPWjbQuZCdNAUT87ljnrpdl3YxRN2ujQ1tHrWkby
+C+anhmkdoQnqQPpICaeLe6NwHpPVABEBAAG0I1Rlc3QgVXNlciBUaHJlZSA8dGVz
+dDNAZXhhbXBsZS5jb20+iQFPBBMBCgA5FiEE5m0mPccXQ0WrECgp38gl+CCc50IF
+AmkHy/oDGy8EBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEN/IJfggnOdC7qEH
+/idAjYhb9QNnOOu7lPkgLnPVanLCE20uHoGLeDUNkz2+2VFmkTu9poHKp4P7tW4e
+/wMyy6uv4X1kcp6XcwVALx2HRU/PKLy1kNQFEeDocA1fx0wloJTfGfJpbxXWPFUG
+oTVx0V2BwjiGK1+MTZCJQ+aqS2mXPLMPRv0ZKw8CQOeGHRJCD3NBEiWxpi5wncFM
+DFDnaKrTCgmndRIafdXU3B7L4zZkNwcXRylkxVFjl938W5czbqa0o2LLadd/trJZ
+YN/21BNkS/QmrH1Kapcgj5GvJp8ky4OpccrCTxfWLmRVfxtdo/N2woNyK9xvjiwd
+TYMaXvrf93dAboJrOmiAtPA=
+=tjTO
+-----END PGP PUBLIC KEY BLOCK-----