To tighten up security, add gpg signed repositories.xml list support. This is a work in progress with initial gpg support in layman-9999 with an added gpg use flag enabled dep on app-portage/pyGPG-9999. I just realized I've probably put pyGPG in the wrong category, oops :/ In my opinion gpg support for layman-2.0.0 final should only include gentoo's repositories.xml (as well as others) gpg signed list support. To be added in a later version: - gpg signed overlay manifests - additional tools for creating and verifying overlay manifests Reproducible: Always
Basic thoughts/plans so far: Setting up a gentoo-keys project for managing gpg signing keys. This will include some utilities for processing the keyid seed files, importing the key(s) from the key servers and verifying the keys added to a system match the seed info. It is this keyring that will be used to verify the repositories.xml list. I also propose adding a gpg data field to the repositories.xml with name, keyid and fingerprint (open for debate)for any overlays that will generate and include a gpg-signed MetaManifest that can be used to verify the contents of the overlay. I will be adding tools to layman for adding the keys to the layman keyring, generating and verifying the overlay contents. It is possible that layman will just leverage the gentoo-keys utilities for some of these operations. app-portage/pyGPG has been moved to dev-python/pyGPG.
Although I've been making progress on gentoo-keys. I think I am going to drop this feature from a layman-2.0.0 final release. This can go into a layman-2.0.1 when it is ready. layman-2.0.0_rc5 has been out for a month now without any bugs reported against it. So I would like to push it out as the final. The gentoo-keys and pygpg pkgs will need more testing before being able to consider stabilizing them.
It may be worth skimming over #387565 for some related tangents.
(In reply to comment #3) > It may be worth skimming over #387565 for some related tangents. Erp! REALLY sorry for posting the wrong bug. Had no idea how many people were being CC'd. Apologies. The bug was https://bugs.gentoo.org/show_bug.cgi?id=453620. It's quite speculative but related. Feel like an idiot. Sorry again ;)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=805fe7c0495e1bf3a34d518041e466258944b82b commit 805fe7c0495e1bf3a34d518041e466258944b82b Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2023-06-22 13:15:09 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2023-06-22 13:15:09 +0000 app-portage/layman: treeclean Closes: https://bugs.gentoo.org/761199 Closes: https://bugs.gentoo.org/609720 Closes: https://bugs.gentoo.org/627930 Closes: https://bugs.gentoo.org/700742 Closes: https://bugs.gentoo.org/649766 Closes: https://bugs.gentoo.org/681144 Closes: https://bugs.gentoo.org/648374 Closes: https://bugs.gentoo.org/545568 Closes: https://bugs.gentoo.org/581890 Closes: https://bugs.gentoo.org/539336 Closes: https://bugs.gentoo.org/590132 Closes: https://bugs.gentoo.org/574190 Closes: https://bugs.gentoo.org/578992 Closes: https://bugs.gentoo.org/540012 Closes: https://bugs.gentoo.org/412883 Closes: https://bugs.gentoo.org/443880 Closes: https://bugs.gentoo.org/480884 Closes: https://bugs.gentoo.org/567386 Closes: https://bugs.gentoo.org/454604 Closes: https://bugs.gentoo.org/567384 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> app-portage/layman/Manifest | 1 - app-portage/layman/layman-2.4.3.ebuild | 100 --------------------------------- app-portage/layman/layman-9999.ebuild | 100 --------------------------------- app-portage/layman/metadata.xml | 24 -------- profiles/package.mask | 5 -- 5 files changed, 230 deletions(-)
No need to keep open for security, is a feature/hardening request.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abfaed0b3460e638410c0fd74783f8d292d63afc commit abfaed0b3460e638410c0fd74783f8d292d63afc Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2023-09-08 00:41:10 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2023-09-08 00:42:07 +0000 app-portage/layman: treeclan Closes: https://bugs.gentoo.org/761199 Closes: https://bugs.gentoo.org/609720 Closes: https://bugs.gentoo.org/627930 Closes: https://bugs.gentoo.org/700742 Closes: https://bugs.gentoo.org/649766 Closes: https://bugs.gentoo.org/681144 Closes: https://bugs.gentoo.org/648374 Closes: https://bugs.gentoo.org/545568 Closes: https://bugs.gentoo.org/581890 Closes: https://bugs.gentoo.org/539336 Closes: https://bugs.gentoo.org/590132 Closes: https://bugs.gentoo.org/574190 Closes: https://bugs.gentoo.org/578992 Closes: https://bugs.gentoo.org/540012 Closes: https://bugs.gentoo.org/412883 Closes: https://bugs.gentoo.org/443880 Closes: https://bugs.gentoo.org/480884 Closes: https://bugs.gentoo.org/567386 Closes: https://bugs.gentoo.org/454604 Closes: https://bugs.gentoo.org/567384 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> app-portage/layman/Manifest | 1 - app-portage/layman/layman-2.4.3.ebuild | 100 --------------------------------- app-portage/layman/layman-9999.ebuild | 100 --------------------------------- app-portage/layman/metadata.xml | 24 -------- profiles/package.mask | 5 -- 5 files changed, 230 deletions(-)
