services: guix: Generate key pair if needed during activation.

* gnu/services/base.scm (guix-activation): Invoke "guix archive --generate-key". * doc/guix.texi (Invoking guix archive) (Invoking guix deploy): Mention that 'guix-service-type' takes care of generating the key pair.
2020-09-27 14:55:32 +02:00 · 2020-09-27 14:55:32 +02:00 · d367a7f3d0
parent 8ac318068b
commit d367a7f3d0
2 changed files with 16 additions and 8 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -4600,9 +4600,11 @@ the store.
@item --generate-key[=@var{parameters}]
@cindex signing, archives
 Generate a new key pair for the daemon.  This is a prerequisite before
-archives can be exported with @option{--export}.  Note that this
-operation usually takes time, because it needs to gather enough entropy
-to generate the key pair.
+archives can be exported with @option{--export}.  This
+operation is usually instantaneous but it can take time if the system's
+entropy pool needs to be refilled.  On Guix System,
+@code{guix-service-type} takes care of generating this key pair the
+first boot.

 The generated key pair is typically stored under @file{/etc/guix}, in
@file{signing-key.pub} (public key) and @file{signing-key.sec} (private
@ -29684,7 +29686,8 @@ a Virtual Private Server (VPS) provider.  In such a case, a different

 Do note that you first need to generate a key pair on the coordinator machine
 to allow the daemon to export signed archives of files from the store
-(@pxref{Invoking guix archive}).
+(@pxref{Invoking guix archive}), though this step is automatic on Guix
+System:

@example
 # guix archive --generate-key
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@ -1653,10 +1653,15 @@ proxy of 'guix-daemon'...~%")
     ;; otherwise call 'chown' here, but the problem is that on a COW overlayfs,
     ;; chown leads to an entire copy of the tree, which is a bad idea.

-     ;; Optionally authorize substitute server keys.
-     (if authorize-key?
-         (substitute-key-authorization keys guix)
-         #~#f))))
+     ;; Generate a key pair and optionally authorize substitute server keys.
+     #~(begin
+         (unless (file-exists? "/etc/guix/signing-key.pub")
+           (system* #$(file-append guix "/bin/guix") "archive"
+                    "--generate-key"))
+
+         #$(if authorize-key?
+               (substitute-key-authorization keys guix)
+               #~#f)))))

 (define* (references-file item #:optional (name "references"))
  "Return a file that contains the list of references of ITEM."