The new openpgp-keys-gentoo-release package went straight to stable, but it looks like the repo is still signed with old key: !!! Manifest verification failed: OpenPGP verification failed: gpg: Signature made Tue Jul 3 05:08:29 2018 UTC gpg: using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 gpg: Can't check signature: No public key
*** Bug 659918 has been marked as a duplicate of this bug. ***
!!! Manifest verification failed: OpenPGP verification failed: gpg: Signature made mar. 03 juil. 2018 08:08:28 UTC gpg: using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 gpg: Can't check signature: No public key
I'm not in front of my computer right now. If somebody could revert it before I get to it, I'd appreciate that.
*** Bug 659932 has been marked as a duplicate of this bug. ***
Confirm.
Ok, found the issue. Will reroll in a minute.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f15fa767726eef351b0e4df7540a26f59cb3f41f commit f15fa767726eef351b0e4df7540a26f59cb3f41f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2018-07-03 10:22:58 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-07-03 10:23:44 +0000 app-crypt/openpgp-keys-gentoo-release: Revert "Bump to 20180702" This release accidentally missed the ebuild repo signing key. Bug: https://bugs.gentoo.org/659914 app-crypt/openpgp-keys-gentoo-release/Manifest | 1 - .../openpgp-keys-gentoo-release-20180702.ebuild | 20 -------------------- 2 files changed, 21 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=673238985f89f33f1d9f906a56a12529cb2abf5f commit 673238985f89f33f1d9f906a56a12529cb2abf5f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2018-07-03 10:26:04 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-07-03 10:26:07 +0000 app-crypt/openpgp-keys-gentoo-release: Bump to 20170703 Reroll the new release with complete key set. Bug: https://bugs.gentoo.org/659914 app-crypt/openpgp-keys-gentoo-release/Manifest | 1 + .../openpgp-keys-gentoo-release-20180703.ebuild | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+)
I'm sorry for the problem. I've accidentally omitted exporting the key because it had no UID. I've removed the faulty release and rerolled the new key set as 20170703. I'm going to keep this bug for a while to let others who hit the issue find it. To resolve the problem, please downgrade to the previous version of app-crypt/openpgp-keys-gentoo-release (20180530). Afterwards, please sync again and make sure to verify the key fingerprint at the end of sync process. Gemato should state: * Valid OpenPGP signature found: * - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D * - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
When will this update be available? (emerge --sync didn't yet update right now).
(In reply to Nico Baggus from comment #10) > When will this update be available? > (emerge --sync didn't yet update right now). rsync master is updated every 30 minutes but mirrors take more time to sync. There's nothing wrong with the previous version (and gemato refreshes keys anyway), so downgrading to the previous release is just fine.
This may help in the mean time preventing from getting the bad one: echo >>/etc/portage/package.mask =app-crypt/openpgp-keys-gentoo-release-20180702
(In reply to Michał Górny from comment #9) > To resolve the problem, please downgrade to the previous version of > app-crypt/openpgp-keys-gentoo-release (20180530). Afterwards, please sync > again and make sure to verify the key fingerprint at the end of sync > process. Gemato should state: > > * Valid OpenPGP signature found: > * - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D > * - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 I can confirm this works. Thanks! * Manifest timestamp: 2018-07-03 11:09:16 UTC * Valid OpenPGP signature found: * - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D * - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 * - timestamp: 2018-07-03 11:09:16 UTC * Verifying /usr/portage ... [ ok ]
The new one is now in the mirror i use..
Guys, you know that this is the security worst case that just happened? How am I able to trust the portage to downgrade the openpgp-keys-gentoo-release package? Can you please make sure, that this doesn't happen again in the future...
(In reply to Reto Gantenbein (ganto) from comment #15) > Guys, you know that this is the security worst case that just happened? How am > I able to trust the portage to downgrade the openpgp-keys-gentoo-release > package? > > Can you please make sure, that this doesn't happen again in the future... Easily. Assuming you don't deep clean your distfiles after each update, you should still have the older version's source on your device -- just emerge that. And even if you do, you should be just fine as long as the new sync verifies through. Please try to keep in mind that Gentoo is a community distro and that mistakes happen. I'm sure you're a nice guy and didn't intend to come off sounding like a dick, but you sure came pretty close. For goodness sake, the man even apologized.
stumbled about this problem today, downgrading to openpgp-keys-gentoo-release-20180530 as suggested did NOT solve it - behaviour is exactly the same
(In reply to groepaz from comment #17) > stumbled about this problem today, downgrading to > openpgp-keys-gentoo-release-20180530 as suggested did NOT solve it - > behaviour is exactly the same In that case you are hitting a different problem.
indeed! apparently i missed some memo/news... (probably long ago?). what i had to do was: $ mv /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf i only wonder why it worked so long, without any sign of an error :)
Hi groepaz@gmx.net, $ cp /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf does not help. But $ emerge =app-crypt/openpgp-keys-gentoo-release-20180703 -1 solves the issue.
it certainly helped here - together with the downgrade, of course :)
(In reply to groepaz from comment #21) > it certainly helped here - together with the downgrade, of course :) Oh, I've missed the downgrade, sorry.
I'm pretty sure that some test case should be added to prevent such situations in the future.
*** Bug 660492 has been marked as a duplicate of this bug. ***
*** Bug 660524 has been marked as a duplicate of this bug. ***
Downgrade to app-crypt/openpgp-keys-gentoo-release-20180530 didn't help to me >>> app-crypt/openpgp-keys-gentoo-release-20180530 merged. >>> Auto-cleaning packages... >>> No outdated packages were found on your system. * GNU info directory index is up-to-date. server /home/semen # server /home/semen # emerge --sync >>> Syncing repository 'gentoo' into '/usr/portage'... * Using keys from /usr/share/openpgp-keys/gentoo-release.asc * Refreshing keys from keyserver ...OpenPGP keyring refresh failed: gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net gpg: keyserver refresh failed: Invalid argument OpenPGP keyring refresh failed: gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net gpg: keyserver refresh failed: Invalid argument ...
(In reply to Semen Panevin from comment #26) > Downgrade to app-crypt/openpgp-keys-gentoo-release-20180530 didn't help to me > > >>> app-crypt/openpgp-keys-gentoo-release-20180530 merged. > >>> Auto-cleaning packages... > > >>> No outdated packages were found on your system. > > * GNU info directory index is up-to-date. > server /home/semen # > server /home/semen # emerge --sync > >>> Syncing repository 'gentoo' into '/usr/portage'... > * Using keys from /usr/share/openpgp-keys/gentoo-release.asc > * Refreshing keys from keyserver ...OpenPGP keyring refresh failed: > gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net > gpg: keyserver refresh failed: Invalid argument > > OpenPGP keyring refresh failed: > gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net > gpg: keyserver refresh failed: Invalid argument > ... Fixed after emerge-webrsync and update world
$ gpg --keyring /usr/share/openpgp-keys/gentoo-release.asc --list-keys /usr/share/openpgp-keys/gentoo-release.asc ------------------------------------------ pub rsa4096 2011-11-25 [C] [expired: 2019-01-01] DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D uid [ expired] Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org> uid [ expired] Gentoo Portage Snapshot Signing Key (Automated Signing Key) .... !!! Manifest verification failed: OpenPGP signature rejected because of expired key: gpg: Signature made Tue Jan 1 11:38:39 2019 UTC gpg: using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 gpg: Good signature from "Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org>" [expired] gpg: aka "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [expired] gpg: WARNING: Using untrusted key!
Shouldn't this bug be closed already?
Indeed it should.
I still get this error. [I] app-crypt/openpgp-keys-gentoo-release Available versions: 20190224 {test} Installed versions: 20190224(18时28分03秒 2019年03月28日)(-test) Homepage: https://www.gentoo.org/downloads/signatures/ Description: OpenPGP keys used for Gentoo releases (snapshots, stages)
Please file a new bug and include full output.
