The signature verification of the gentoo repository already works out of the box, and it would be very nice if binary package signatures by Gentoo Releng could be verified out of the box in a similar way. We've made a small helper, app-portage/getuto, which is intended to be called (without any parameters) as root before each portage run involving remote binary packages. It does two things: 1) If /etc/portage/gnupg does not exist yet, then it creates it and sets it up to trust Gentoo Release Engineering keys from sec-keys/openpgp-keys-gentoo-release 2) If /etc/portage/gnupg already exists, then it refreshes its keyring from the keyservers Source is at https://github.com/projg2/getuto/ Now my suggestion would be to add code to portage that calls a "trust setup helper" (configurable but by default getuto) before every operation involving remote binary repositories. As far as I can see, the best place would be at the beginning of _populate_remote in lib/portage/dbapi/bintree.py E.g. there could be a default setting PORTAGE_TRUST_HELPER=/usr/bin/getuto and then this is called. I'll start preparing patches, but someone with more portage experience could probably write this down in a few minutes (feel free to do so).
We now have app-portage/getuto and: commit 3e56f8a6498cd90a7d5fe472febf586455c3bad7 Author: Andreas K. Hüttel <dilfridge@gentoo.org> Date: Wed Aug 30 19:57:19 2023 +0200 Run PORTAGE_TRUST_HELPER before remote binary package operations Right now this is somewhat suboptimal because the helper is only called if FEATURES="binpkg-request-signature" is set, but existing signatures are also verified otherwise. Closes: https://github.com/gentoo/portage/pull/1085 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Some issue got introduced in late refactoring in the PR where it seems to fail if getuto isn't installed on a system.
(In reply to Sam James from comment #2) > Some issue got introduced in late refactoring in the PR where it seems to > fail if getuto isn't installed on a system. https://github.com/gentoo/portage/pull/1097
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f9211a35abef13079f93a96f57f3a96083c69a7 commit 9f9211a35abef13079f93a96f57f3a96083c69a7 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-10-03 15:38:28 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-03 15:38:41 +0000 sys-apps/portage: add 3.0.52 Closes: https://bugs.gentoo.org/704866 Closes: https://bugs.gentoo.org/877793 Closes: https://bugs.gentoo.org/889300 Closes: https://bugs.gentoo.org/900224 Closes: https://bugs.gentoo.org/912676 Closes: https://bugs.gentoo.org/912808 Closes: https://bugs.gentoo.org/913070 Closes: https://bugs.gentoo.org/913103 Closes: https://bugs.gentoo.org/914159 Closes: https://bugs.gentoo.org/915054 Closes: https://bugs.gentoo.org/915119 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/portage/Manifest | 1 + sys-apps/portage/portage-3.0.52.ebuild | 235 +++++++++++++++++++++++++++++++++ 2 files changed, 236 insertions(+)