Ideally, emerge-webrsync would verify gpg signatures by default. However, current support for FEATURES=webrsync-gpg requires users to manually establish trust, as described here: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots Using app-crypt/gkeys (and keys installed by app-crypt/gentoo-keys), it is possible to automatically establish trust, which will provide the convenience necessary to enable gpg signature verification by default.
This combination of commands appears to do the job, tested with app-crypt/gkeys-0.2, assuming that tree snapshot and corresponding .gpgsig file have been downloaded to the same directory: # fetch the latest key and revocation data gkeys refresh-key -C gentoo -n snapshot # check the key to make sure that it's valid gkeys check-key -C gentoo -n snapshot # verify the snapshot gkeys verify -C gentoo -n snapshot -F $DISTDIR/portage-20161023.tar.bz2
(In reply to Zac Medico from comment #1) > # check the key to make sure that it's valid > gkeys check-key -C gentoo -n snapshot The above command fails as follows: # gkeys check-key -C gentoo -n snapshot Checking keys... snapshot, Gentoo Tree Snapshot (Automated) Signing Key: 0xDB6B8C1F96D8BF6D ============================================== Gkey task results: Found: ------- Expired: 0 Revoked: 0 Invalid: 0 No signing capable subkeys: 0 # echo $? 1
There's a patch in the following branch: https://github.com/zmedico/portage/tree/bug_597918 However, it doesn't work because of the gkeys check-key failure shown in comment #2.
There's a fix for the gkeys check-key issue here: https://github.com/gentoo/gentoo-keys/pull/53
I've removed the call to gkeys check-key, since we want to treat signatures as valid as long as they were created while the key was still valid.
Patch posted for review: https://archives.gentoo.org/gentoo-portage-dev/message/8f2be5bfa699498c92d6b432621e1b87 https://github.com/gentoo/portage/pull/64
This is in the master branch: https://gitweb.gentoo.org/proj/portage.git/commit/?id=98c250cceaf380d6dbeacac90482a5d1956dcb80
(In reply to Zac Medico from comment #7) > This is in the master branch: > > https://gitweb.gentoo.org/proj/portage.git/commit/ > ?id=98c250cceaf380d6dbeacac90482a5d1956dcb80 We need a stabilized release of app-crypt/gkeys, or else we should revert this until we have one.
Yeah, we need to fix a few things and make a new release. So, yeah, probably best to revert this in master, leave it in a branch we can add the meta-manifest stuff to as well, then we can co-ordinate with gkeys release when both are ready. Then get them both stabled together.
Reverted: https://gitweb.gentoo.org/proj/portage.git/commit/?id=405ab9faa09efd3ee97f83a6c791188162831c75
app-crypt/gkeys is last rited now.
By default, we use gemato for key refresh since bug 689506.