Gpg shows a warning concerning the directory where the keys are installed: gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release gpg: WARNING: unsafe permissions on homedir `/var/lib/gentoo/gkeys/keyrings/gentoo/release' gpg: Go ahead and type your message ... The default permissions after installation are: stat -c '%a %n' /var/lib/gentoo/gkeys/keyrings/gentoo/release 755 /var/lib/gentoo/gkeys/keyrings/gentoo/release It should be 700.
I forgot to mention it's for the app-crypt/gentoo-keys ebuild
I necessary, I confirm this - Btw, chmod-ing to 700 this new gnupg homedir for gentoo keyrings is this the right way ? what are we supposed to do from now ? :) (and... why changing the old dir /etc/portage/gpg) Thks in advance [~off] --- Just my opinion but clarify the different handbook's pages could be useful I think i.e. https://wiki.gentoo.org/wiki/Handbook:Parts/Working/Features#Pulling_validated_Gentoo_ebuild_tree_snapshots especially if "§_Original_install_and_configuration_instructions" is now obsolete & this one: https://wiki.gentoo.org/wiki//etc/portage/repos.conf/webrsync.conf -> "§_Optional:_Verify_releng_Signature" & may be this one too: https://wiki.gentoo.org/wiki/Project:RelEng#Release_security_and_signing -> 0xBB572E0E2D182910 key seems now expire on 2017-08-25 ) --- [/~off]
Created attachment 429040 [details, diff] Proposed ebuild patch Added "fperms 700" instruction for destination folder
See https://github.com/gentoo/gentoo/pull/5294
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b2f7f5f9db42058b76e155ab3e87d36c86062ed commit 7b2f7f5f9db42058b76e155ab3e87d36c86062ed Author: charIes17 <charles17@arcor.de> AuthorDate: 2017-08-04 12:03:18 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-27 23:08:10 +0000 app-crypt/gentoo-keys: bump to EAPI 6. Package-Manager: Portage-2.3.6, Repoman-2.3.1 Closes: https://bugs.gentoo.org/566782 Closes: https://github.com/gentoo/gentoo/pull/5294 .../gentoo-keys/gentoo-keys-201607021514-r1.ebuild | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+)
It occurs to me, now that this bug has been fixed, that it shouldn't have been, and instead should have been marked invalid. Furthermore, it seems inappropriate to have merged a fix for this bug when the gkeys project hasn't even acknowledged it as a bug. Regarding this bug's validity, the purpose of the gentoo-keys package is to provide a keyring of Gentoo keys for use in validating signatures of various things produced by Gentoo, and thus the keyring has usefulness to all users, including unprivileged ones. Therefore, it makes no sense to change the directory permissions to allow only root access to the keyring. You should not be using the directory as a gpg homedir (because that's going to put other crap in it that should not be there), but rather use gpg's --keyring option to add the keyring to the list that gpg uses for that operation.
Wondering how this monsieurp: The fix is wrong, because now non-root users can't verify against the trusted keyring. Tomás F.: What was the command you used to trigger the error?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a0bf85c6c8c63c5cfce06f139b3a4415289b605 commit 0a0bf85c6c8c63c5cfce06f139b3a4415289b605 Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2017-10-28 07:24:21 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-28 07:25:19 +0000 app-crypt/gentoo-keys: clean up bogus version. Bug: https://bugs.gentoo.org/566782 Package-Manager: Portage-2.3.8, Repoman-2.3.3 .../gentoo-keys/gentoo-keys-201607021514-r1.ebuild | 25 ---------------------- 1 file changed, 25 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2bc873c3e462aa1ca11631cc66ddd6abd928eca commit a2bc873c3e462aa1ca11631cc66ddd6abd928eca Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2017-10-28 07:23:16 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-28 07:25:13 +0000 app-crypt/gentoo-keys: remove fperms call. Bug: https://bugs.gentoo.org/566782 Package-Manager: Portage-2.3.8, Repoman-2.3.3 .../gentoo-keys/gentoo-keys-201607021514-r2.ebuild | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+)}
Thanks for the heads up. Let me know if you need help.
app-crypt/gkeys is last rited now.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=32fc08c68bbe2ce83e02ab4f36dd66394edc827e commit 32fc08c68bbe2ce83e02ab4f36dd66394edc827e Author: David Seifert <soap@gentoo.org> AuthorDate: 2023-05-18 22:14:08 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2023-05-18 22:14:08 +0000 package.mask: Last rite app-crypt/gentoo-keys Bug: https://bugs.gentoo.org/566782 Bug: https://bugs.gentoo.org/659822 Signed-off-by: David Seifert <soap@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aec4aff19e1f7aae238a7ef447aa7e708a6b8b1c commit aec4aff19e1f7aae238a7ef447aa7e708a6b8b1c Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2023-06-22 13:12:48 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2023-06-22 13:12:48 +0000 app-crypt/gentoo-keys: treeclean Closes: https://bugs.gentoo.org/659822 Closes: https://bugs.gentoo.org/566782 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> app-crypt/gentoo-keys/Manifest | 1 - .../gentoo-keys/gentoo-keys-201901130136.ebuild | 20 -------------------- app-crypt/gentoo-keys/metadata.xml | 8 -------- profiles/package.mask | 10 ---------- 4 files changed, 39 deletions(-)
