guix-attest should support custom GPG executable names #24346

issue JeremyRand opened this issue on February 15, 2022
  1. JeremyRand commented at 2:04 AM on February 15, 2022: contributor

    Is your feature request related to a problem? Please describe.

    In Qubes OS, the "Split-GPG" feature allows keeping the private key in a separate VM from the application (in this case guix-attest). This prevents a compromised VM (in which Bitcoin Core was built) from stealing the private signing key. Qubes provides a qubes-gpg-client-wrapper executable that has the same API as gpg. Unfortunately, there is currently no way to make guix-attest use that executable instead of plain gpg.

    Describe the solution you'd like

    Support an optional environment variable in guix-attest, which allows specifying an arbitrary command name that replaces gpg.

    Describe alternatives you've considered

    I considered a command-line parameter, but it seems that environment variables are the convention in guix-attest.

    Additional context

    I believe OpenTimestamps provides a wrapper with gpg's API as well, so maybe this would also be helpful for facilitating OpenTimestamps with Guix.

  2. JeremyRand added the label Feature on Feb 15, 2022
  3. JeremyRand commented at 2:05 AM on February 15, 2022: contributor

    I would probably be able to provide a PR for this if there's indication that Bitcoin Core is open to this feature.

  4. laanwj added the label Build system on Feb 15, 2022
  5. laanwj commented at 12:46 PM on February 15, 2022: member

    Yes, this would make sense. I guess an optional environment variable would be most straightforward.

    Unfortunately, there is currently no way to make guix-attest use that executable instead of plain gpg.

    There's always the "temporarily add a PATH with a script or symlink" way, but it's a hassle.

  6. prusnak commented at 7:03 PM on March 13, 2022: contributor

    Implemented in https://github.com/bitcoin/bitcoin/pull/24552

  7. JeremyRand commented at 6:38 AM on March 14, 2022: contributor

    @prusnak Awesome, thank you so much for saving me the time. :)

  8. laanwj closed this on Apr 6, 2022
  9. sidhujag referenced this in commit 7b911b20b1 on Apr 6, 2022
  10. dekm referenced this in commit 9481d49f4a on Oct 27, 2022
  11. DrahtBot locked this on Apr 6, 2023
Contributors
JeremyRandlaanwjprusnak
Labels
FeatureBuild system
Linked (view graph)
#24552 guix: make it possible to override gpg binary
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-15 03:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me