nix-community/home-manager
1
0
Fork 0
mirror of https://github.com/nix-community/home-manager.git synced 2025-11-08 19:46:05 +01:00
Code Activity

gpg: fix correctly setting trust for all keys

Browse source 
When passing `gpg.publicKeys` a `source` including _multiple_ keys,
only the first one in `source` will have `trust` set correctly.

This commit fixes the issue and adds a corresponding test
(failing without the patch, fixed with it).
This commit is contained in:
aldur 2025-11-03 00:37:06 +00:00 committed by Austin Horstman
parent a5fee07792
commit 95d65dddae
4 changed files with 108 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/programs/gpg.nix
View file

@ -125,7 +125,7 @@ let
function importTrust() { function importTrust() {
local keyIds trust local keyIds trust
IFS='\n' read -ra keyIds <<< "$(gpgKeyId "$1")" mapfile -t keyIds <<< "$(gpgKeyId "$1")"
trust="$2" trust="$2"
for id in "''${keyIds[@]}" ; do for id in "''${keyIds[@]}" ; do
{ echo trust; echo "$trust"; (( trust == 5 )) && echo y; echo quit; } \ { echo trust; echo "$trust"; (( trust == 5 )) && echo y; echo quit; } \

1
tests/modules/programs/gpg/default.nix
View file

@ -1,5 +1,6 @@
{ {
gpg-immutable-keyfiles = ./immutable-keyfiles.nix; gpg-immutable-keyfiles = ./immutable-keyfiles.nix;
gpg-mutable-keyfiles = ./mutable-keyfiles.nix; gpg-mutable-keyfiles = ./mutable-keyfiles.nix;
gpg-multiple-keys-trust = ./multiple-keys-trust.nix;
gpg-override-defaults = ./override-defaults.nix; gpg-override-defaults = ./override-defaults.nix;
} }

61
tests/modules/programs/gpg/multiple-keys-trust.nix Normal file
View file

@ -0,0 +1,61 @@
{ realPkgs, ... }:
{
programs.gpg = {
enable = true;
package = realPkgs.gnupg;
mutableKeys = false;
mutableTrust = false;
publicKeys = [
{
# This file contains three public keys
# The bug causes only the first key to have trust set
source = ./test-keys/multiple-keys.asc;
trust = "ultimate"; # trust level 5
}
];
};
nmt.script = ''
assertFileNotRegex activate "^export GNUPGHOME=/home/hm-user/.gnupg$"
assertFileRegex activate \
'^install -m 0700 /nix/store/[0-9a-z]*-gpg-pubring/trustdb.gpg "/home/hm-user/.gnupg/trustdb.gpg"$'
# Setup GPGHOME
export GNUPGHOME=$(mktemp -d)
cp -r $TESTED/home-files/.gnupg/* $GNUPGHOME
TRUSTDB=$(grep -o '/nix/store/[0-9a-z]*-gpg-pubring/trustdb.gpg' $TESTED/activate)
install -m 0700 $TRUSTDB $GNUPGHOME/trustdb.gpg
# Export Trust
export WORKDIR=$(mktemp -d)
${realPkgs.gnupg}/bin/gpg -q --export-ownertrust > $WORKDIR/gpgtrust.txt
echo "=== Trust database contents ==="
cat $WORKDIR/gpgtrust.txt
echo "=== End of trust database ==="
# The test file contains three keys:
# - 13B06D9193E01E0F (Test User One) - fingerprint: B07502E7B7ED0A4AA3BF191913B06D9193E01E0F
# - 42E7B990011430DE (Test User Two) - fingerprint: 6A2A713AE7F93C8EA6D264B642E7B990011430DE
# - DFC825F8209CE742 (Test User Three) - fingerprint: E66D263DC7174345AB102829DFC825F8209CE742
#
# All three keys should have ultimate trust (level 6 in ownertrust format)
# Due to the bug in importTrust function, only the first key gets trust set
# Check that first key has ultimate trust (this works with current code)
assertFileRegex $WORKDIR/gpgtrust.txt \
'^B07502E7B7ED0A4AA3BF191913B06D9193E01E0F:6:$'
# Check that second key has ultimate trust (this FAILS due to bug)
assertFileRegex $WORKDIR/gpgtrust.txt \
'^6A2A713AE7F93C8EA6D264B642E7B990011430DE:6:$'
# Check that third key has ultimate trust (this FAILS due to bug)
assertFileRegex $WORKDIR/gpgtrust.txt \
'^E66D263DC7174345AB102829DFC825F8209CE742:6:$'
'';
}

45
tests/modules/programs/gpg/test-keys/multiple-keys.asc Normal file
View file

@ -0,0 +1,45 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBGkHy/oBCADC4NT6P4eiOv1f9g8mhdLQlexO4Pefh33EicybD4tnlZZGVzYT
2J75slIGFV9+AOX/TXsws7+0IaZYB94a3p1NKoWeYh4XZy0HQ2HRJjNWeLQ41lFC
dCQ4A0JuqCurMFFdph59Xlh4ko3SXmPwNqXEmNX8LQlIDRNk+RiW+gJ4OC8DV6Do
YexeQHrHxtdGrStFmEygEAB5K1xqLRrzETvPubEmPEcrvhT/7W1+TwCb/haKo+Is
OgFcaJFv7CR6EbYh3DNZa4Zrd/WpNAL8+Kmz89VTdw0qaSYJxV9uR4DdmgX+2tAv
WmLuTuPMabU599p9nRUqk1Pj5fit6octCxX9ABEBAAG0IVRlc3QgVXNlciBPbmUg
PHRlc3QxQGV4YW1wbGUuY29tPokBTwQTAQoAORYhBLB1Aue37QpKo78ZGROwbZGT
4B4PBQJpB8v6AxsvBAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRATsG2Rk+Ae
D54fB/9EN7IjdwARheioFsZlifda5t31l084eYsq9kLzjCrxCXNlDZEIi6QrNBBA
CDZyv5bM+JLrZPbZ/1J1caoB6W9+ARPLiERWMhql7JNWSS/4Yhf/L0aD0C3pJFJf
h3bcSxhAzXBL3857cELR88UeV7NHPNdJsKVX0h7r1xe1D1oGZd19qbyZx3FJLzH8
p01ZkLoKdKAh42x+XN6KrOWGWFyvLX56pXjp9mjero2iDpUlBdIV15CFJ+aoVI3B
KG26z4B7/L8kQVO2eH41k/i39u9SuvuCinYcNQ/5/blpaIc7xqL5jI1gapzE4bBu
GzGOKJoWRgGJDUZzyvTtxbI/nsK6mQENBGkHy/oBCADHGrIJ1uTGWJvSt+2pmqxK
ruXQvVxQva3GbYIgePQa88PzhORYTnuskEdOhNhMTaxKWbxS1bfDXf3Akjis+kHb
xLK692XtKFf88ALV6ts0Rd4YRG6BCcwMPAfFuQhyQRxclNk5XHzaH6IvKvmrSkvG
wilLkrdj9hW32FvVYDyjdiDSbvs05d8EfRr7UF/fMQC5HOJJ6VSC7HJ7tQGWvtNG
eyr/I61OSDxhf6PF5CfuepajO0nzsVHvsXTxoJwYbx+zXSlGxTsHWYxp6r0MdPE/
vCNmvrfpz4PoTiE43Xa3XsYSO2gRCpMYJKQaxl5pCfBGSmKpCF1YDBSTrRYyacyv
ABEBAAG0IVRlc3QgVXNlciBUd28gPHRlc3QyQGV4YW1wbGUuY29tPokBTwQTAQoA
ORYhBGoqcTrn+TyOptJktkLnuZABFDDeBQJpB8v6AxsvBAULCQgHAgYVCgkICwIE
FgIDAQIeAQIXgAAKCRBC57mQARQw3nIGB/9/j1SIk+DxmCeT2fihQmS7lubDoq1I
FUdjb7cAGBs4KAmJh8MVMsYyB+EtaVC8qu4C5EgNNV0+c2H8UishGcZvMm9Qg7LQ
MTSGKLwXikaiIvyw3zlh1FpJn2rYUSvCplVswhF/dfSlenmU81eiPigYsvzVoa8h
xJNn01DLu4cd2VsBhWW/2w3DKSvVHRPdlPTPrqkjzMQRy2ULa2yTWiiuxWJxHuj0
3ocvLGlpyyvIwyoFVG4Lex4r+jSL3RCllEUjADAMgDPfhoTEerfgORCVEqGE/JLR
MVrTl6bMuodGehXgCRalcg9ChUADBHS4fZ0NiH46QhTblwRRFc2K6WbzmQENBGkH
y/oBCADAzZTgBmulUSr29gmBELA1gpMNHZ3J/2R3mTXMFaZAsi84uCZNyLLrDhU4
WaXVRURlwY4eHdvIMc3IM846s0SkLKDy3cIbusQK9NDVS/69LRyKNiZMjEbpODZl
fT5AtQUOL1jAIxy/wVEKzqih0so6mfNCwKFshWyi4p2+E8dFT8apTvhwJkdpptb6
q8Q1ABx+NRE1iSK+lFUw7xD7lLDvUYcHn6glpEMIGjg3/BLF74nVYFe6rCuFKgNt
GHLk1ZjoldbQRmTxdaKkb6vmfPWjbQuZCdNAUT87ljnrpdl3YxRN2ujQ1tHrWkby
C+anhmkdoQnqQPpICaeLe6NwHpPVABEBAAG0I1Rlc3QgVXNlciBUaHJlZSA8dGVz
dDNAZXhhbXBsZS5jb20+iQFPBBMBCgA5FiEE5m0mPccXQ0WrECgp38gl+CCc50IF
AmkHy/oDGy8EBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEN/IJfggnOdC7qEH
/idAjYhb9QNnOOu7lPkgLnPVanLCE20uHoGLeDUNkz2+2VFmkTu9poHKp4P7tW4e
/wMyy6uv4X1kcp6XcwVALx2HRU/PKLy1kNQFEeDocA1fx0wloJTfGfJpbxXWPFUG
oTVx0V2BwjiGK1+MTZCJQ+aqS2mXPLMPRv0ZKw8CQOeGHRJCD3NBEiWxpi5wncFM
DFDnaKrTCgmndRIafdXU3B7L4zZkNwcXRylkxVFjl938W5czbqa0o2LLadd/trJZ
YN/21BNkS/QmrH1Kapcgj5GvJp8ky4OpccrCTxfWLmRVfxtdo/N2woNyK9xvjiwd
TYMaXvrf93dAboJrOmiAtPA=
=tjTO
-----END PGP PUBLIC KEY BLOCK-----