Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 557012 - gpg signature of portage-latest.tar.xz is not always valid
Summary: gpg signature of portage-latest.tar.xz is not always valid
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Other web server issues (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-08 08:45 UTC by georg
Modified: 2015-10-15 10:38 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
My update script to sync the tree (update-portage-git.sh,1.21 KB, application/x-shellscript)
2015-08-08 08:47 UTC, georg 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description georg 2015-08-08 08:45:42 UTC 
Since some time i run my portage git repository on my server which syncs every day. With the added script. 
From time to time the gpg signature check fails. When i manually download them they fit. Is the link on the server not always valid?

The update from the server happens in my daily cron job. 
Time: 03:09 Europe/Berlin

For example the current files which are ok, are from 

ls -la /tmp/portage-latest.tar.xz*
-rw-r--r-- 1 root root 67413520  8. Aug 02:45 /tmp/portage-latest.tar.xz
-rw-r--r-- 1 root root      819  8. Aug 02:55 /tmp/portage-latest.tar.xz.gpgsig

cat /etc/timezone 
Europe/Berlin



Reproducible: Sometimes
Comment 1 georg 2015-08-08 08:47:12 UTC 
Created attachment 408530 [details]
My update script to sync the tree
Comment 2 georg 2015-08-08 08:47:41 UTC 
Should i change the time, when the portage tree gets downloaded?
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-09-24 18:48:59 UTC 
Is this still occurring?  The portage tarball release process has been updated somewhat since the change to git.
Comment 4 georg 2015-09-25 06:28:38 UTC 
The last times it didnt happen again. I guess it can be closed
Comment 5 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-09-25 07:32:29 UTC 
thanks, closing
Comment 6 georg 2015-10-15 03:14:37 UTC 
It happened again. It seems that there is something not always in sync. 

gpg: Signature made Tue Oct 13 02:55:18 2015 CEST using RSA key ID C9189250
gpg: BAD signature from "Gentoo Portage Snapshot Signing Key (Automated Signing
Key)" [ultimate]

Am i the only one who checks gpg signatures?
Comment 7 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-10-15 03:35:04 UTC 
that's key id seems valid....  I use portage tarballs with signing as well.

C9189250

it's our signing subkey
https://wiki.gentoo.org/wiki//etc/portage/repos.conf/webrsync.conf
https://wiki.gentoo.org/wiki/Handbook:Parts/Working/Features#Pulling_validated_Gentoo_ebuild_tree_snapshots

gpg --homedir /etc/portage/gpg/ --list-keys
/etc/portage/gpg//pubring.gpg
-----------------------------
pub   dsa1024/239C75C4 2007-11-25 [expired: 2012-05-23]
uid       [ expired] Gentoo Portage Snapshot Signing Key (Automated Signing Key)

pub   rsa4096/96D8BF6D 2011-11-25 [expires: 2015-11-24]
uid       [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key)
sub   rsa4096/C9189250 2011-11-25 [expires: 2015-11-24]
Comment 8 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2015-10-15 04:13:46 UTC 
I suspect you may be hitting it in middle of mirror update or something like that. Would it possible for you to check if it happens an hour later or sth like that?
Comment 9 georg 2015-10-15 05:11:09 UTC 
I already changed my cron job time to 2 hours later.
Comment 10 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2015-10-15 10:38:56 UTC 
Hmm, then I suspect the download may be distorted midway. Are you sure that the download does not get interrupted somehow?