I currently doing a complete new gentoo installation where binpkg is enabled. In the begin it worked until today, when no package signature is correct anymore. I did not find how to manually check the signatures. One example package: --2024-02-24 15:09:10-- https://mirror.init7.net/gentoo/releases/amd64/binpackages/17.1/x86-64/dev-libs/libaio/libaio-0.3.113-1.gpkg.tar Resolving mirror.init7.net... 109.202.202.202, 2001:1620::1620 Connecting to mirror.init7.net|109.202.202.202|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 61440 (60K) [application/octet-stream] Saving to: '/var/cache/binpkgs/dev-libs/libaio/libaio-0.3.113-4.gpkg.tar.partial' 0K .......... .......... .......... .......... .......... 83% 12.8M 0s 50K .......... 100% 18.6T=0.004s 2024-02-24 15:09:11 (15.3 MB/s) - '/var/cache/binpkgs/dev-libs/libaio/libaio-0.3.113-4.gpkg.tar.partial' saved [61440/61440] !!! Invalid binary package: '/var/cache/binpkgs/dev-libs/libaio/libaio-0.3.113-4.gpkg.tar.partial', GPG verify failed I tryed getuto several times; even with removing /etc/portage/gnupg. Here is the content: ~> gpg --homedir=/etc/portage/gnupg --list-keys gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/etc/portage/gnupg' /etc/portage/gnupg/pubring.kbx ------------------------------ pub rsa3072 2024-02-24 [SCEA] 76E07218017921935F158EC2CD95B7191511ABC7 uid [ ultimativ ] Portage Local Trust Key (local signing only) <portage@localhost> sub rsa3072 2024-02-24 [SEA] pub rsa4096 2018-05-28 [C] [verfällt: 2024-07-01] EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72 uid [vollständig] Gentoo repository mirrors (automated git signing key) <repomirrorci@gentoo.org> sub rsa2048 2018-05-28 [S] [verfällt: 2024-07-01] pub rsa4096 2011-11-25 [C] [verfällt: 2024-07-01] DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D uid [vollständig] Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org> uid [vollständig] Gentoo Portage Snapshot Signing Key (Automated Signing Key) sub rsa4096 2011-11-25 [S] [verfällt: 2024-07-01] pub dsa1024 2004-07-20 [SC] [verfällt: 2025-07-01] D99EAC7379A850BCE47DA5F29E6438C817072058 uid [vollständig] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org> sub elg2048 2004-07-20 [E] [verfällt: 2025-07-01] pub rsa4096 2009-08-25 [SC] [verfällt: 2024-07-01] 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910 uid [vollständig] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org> sub rsa2048 2019-02-23 [S] [verfällt: 2024-07-01] No installation that needs a binary package work anymore.
It works okay for me right now in a Docker container I'm working on. Please include the full build.log and emerge --info.
The above IS the full build log! ~> emerge --info Portage 3.0.61 (python 3.11.8-final-0, default/linux/amd64/17.1/hardened, gcc-13, glibc-2.38-r10, 6.6.16-gentoo-dist x86_64) ================================================================= System uname: Linux-6.6.16-gentoo-dist-x86_64-Intel-R-_Core-TM-2_Duo_CPU_L7500_@_1.60GHz-with-glibc2.38 KiB Mem: 8058292 total, 5949500 free KiB Swap: 4194300 total, 4194300 free Timestamp of repository gentoo: Fri, 23 Feb 2024 19:00:00 +0000 Head commit of repository gentoo: aef0ef66bf7cce12aeea00a3efd0e745def7e095 sh bash 5.1_p16-r6 ld GNU ld (Gentoo 2.41 p5) 2.41.0 ccache version 4.9.1 [enabled] app-misc/pax-utils: 1.3.7::gentoo app-shells/bash: 5.1_p16-r6::gentoo dev-build/autoconf: 2.71-r6::gentoo dev-build/automake: 1.16.5-r2::gentoo dev-build/cmake: 3.27.9::gentoo dev-build/libtool: 2.4.7-r2::gentoo dev-build/make: 4.4.1-r1::gentoo dev-build/meson: 1.3.1-r1::gentoo dev-lang/perl: 5.38.2-r1::gentoo dev-lang/python: 3.11.8_p1::gentoo, 3.12.1_p1::gentoo dev-lang/rust-bin: 1.74.1::gentoo dev-util/ccache: 4.9.1::gentoo sys-apps/baselayout: 2.14-r2::gentoo sys-apps/openrc: 0.53::gentoo sys-apps/sandbox: 2.38::gentoo sys-devel/binutils: 2.41-r5::gentoo sys-devel/binutils-config: 5.5::gentoo sys-devel/gcc: 13.2.1_p20240113-r1::gentoo sys-devel/gcc-config: 2.11::gentoo sys-devel/llvm: 17.0.6::gentoo sys-kernel/linux-headers: 6.6::gentoo (virtual/os-headers) sys-libs/glibc: 2.38-r10::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 volatile: False sync-rsync-verify-max-age: 3 sync-rsync-verify-jobs: 1 sync-rsync-verify-metamanifest: yes sync-rsync-extra-opts: Binary Repositories: gentoobinhost-hardened priority: 100 sync-uri: https://mirror.init7.net/gentoo/releases/amd64/binpackages/17.1/x86-64_hardened gentoobinhost priority: 1 sync-uri: https://mirror.init7.net/gentoo/releases/amd64/binpackages/17.1/x86-64 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=core2 -O2 -pipe" DISTDIR="/var/cache/distfiles" EMERGE_DEFAULT_OPTS=" --usepkg-exclude 'sys-kernel/gentoo-sources virtual/* dev-perl/*'" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME" FCFLAGS="-march=core2 -O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live ccache config-protect-if-modified distlocks ebuild-locks fixlafiles getbinpkg ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox pkgdir-index-trusted preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict suidctl unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=core2 -O2 -pipe" GENTOO_MIRRORS="https://mirror.init7.net/gentoo/ https://distfiles.gentoo.org" LANG="de_DE" LC_ALL="C" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LEX="flex" MAKEOPTS="-j3 -l2" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" SHELL="/bin/zsh" USE="X acl alsa alsa-plugin amd64 bluetooth bzip2 caps cet cli crypt dri fortran gdbm hardened iconv ipv6 jpeg libtirpc multilib ncurses nls openmp pam pcre pcsc-lite pic pie png readline seccomp split-usr ssl ssp test-rust threads udev unicode vaapi vdpau xattr xtpax zlib zsh-completion" ABI_X86="64" ADA_TARGET="gnat_2021" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_anon authn_dbm authn_file authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 ntrip navcom oceanserver oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 tsip tripmate tnt ublox" INPUT_DEVICES="evdev keyboard mouse wacom" KERNEL="linux" L10N="de de-1901 de-DE" LCD_DEVICES="bayrad cfontz glk hd44780 lb216 lcdm001 mtxorb text" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-1" POSTGRES_TARGETS="postgres15" PYTHON_SINGLE_TARGET="python3_11" PYTHON_TARGETS="python3_11" RUBY_TARGETS="ruby31" VIDEO_CARDS="dummy fbdev i965 intel vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipp2p iface geoip fuzzy condition tarpit sysrq proto logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LD, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PYTHONPATH, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
To be clear, I don't believe that the packages are all broken. But I have no idea, what went wrong as there is just little informations. And I have no idea how to check the package manually. I expect some mismatch in signatures but as I have no furter informations, that is hard to prove (and to fix).
I found a clue: gpg: WARNING: unsafe ownership on homedir '/etc/portage/gnupg' gpg: can't open '/tmp/root/portage-sign-zkspbzl9.sig': Permission denied gpg: verify signatures failed: Permission denied [GNUPG:] FAILURE verify 33587201 /tmp/root is only readable by root... And The unsafe ownership is just a warning.
Do you have GPG_VERIFY_USER_DROP, GPG_VERIFY_GROUP_DROP, or any other GPG_ or similar variables set in make.conf or environment (check `env`)?
(In reply to Sam James from comment #5) > Do you have GPG_VERIFY_USER_DROP, GPG_VERIFY_GROUP_DROP, or any other GPG_ > or similar variables set in make.conf or environment (check `env`)? BINPKG_* too
… and that leaded to the bug. Portage is using the TMPDIR environment of root, which is not usable for user portage. When it is unset, it works. So, portage should unset such variables or set them accordingly.
For completenes, this is my make.conf: COMMON_FLAGS="-march=core2 -O2 -pipe" CFLAGS="${COMMON_FLAGS}" CXXFLAGS="${COMMON_FLAGS}" FCFLAGS="${COMMON_FLAGS}" FFLAGS="${COMMON_FLAGS}" # NOTE: This stage was built with the bindist Use flag enabled #PORTDIR="/usr/portage" #DISTDIR="/usr/portage/distfiles" #PKGDIR="/usr/portage/packages" # This sets the language of build output to English. # Please keep this setting intact when reporting bugs. LC_MESSAGES=C MAKEOPTS="-j3 -l2" GENTOO_MIRRORS="https://mirror.init7.net/gentoo/ https://distfiles.gentoo.org" USE="-avahi -dbus -elogind -gnome -gnome-keyring -mono -networkmanager -policykit -portaudio -pulseaudio -systemd -tcpd -upnp -upnp-av -zeroconf alsa alsa-plugin bluetooth caps jpeg pcsc-lite png threads udev vaapi vdpau X zsh-completion" L10N="de de-1901 de-DE" FEATURES="ccache getbinpkg suidctl" CCACHE_SIZE="1G" INPUT_DEVICES="evdev keyboard mouse wacom" VIDEO_CARDS="dummy fbdev i965 intel vesa" EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --usepkg-exclude 'sys-kernel/gentoo-sources virtual/* dev-perl/*'"
Note that the only help is to unset the $TMPDIR as root. Keeping it and unset TMPDIR in /etc/portage/bashrc does not work (But creates other errors), neither explicitly setting that variable over there.
*** Bug 926428 has been marked as a duplicate of this bug. ***
I would say that invoking Portage with a TMPDIR that is not accessible to the portage user is error on the part of the user. You should either unset TMPDIR before calling Portage, or set TMPDIR in make.conf.
(In reply to Mike Gilbert from comment #11) > You should either unset TMPDIR before calling Portage, or set TMPDIR in > make.conf. For make.conf TMPDIR settings to be effective it looks like we would need the make.conf environment to propagate to this subprocess.run call: > def _run_trust_helper(self): > portage_trust_helper = self.settings.get("PORTAGE_TRUST_HELPER", "") > if portage_trust_helper == "": > return > try: > ret = subprocess.run(portage_trust_helper) > except FileNotFoundError: > writemsg( > _( > "\n!!! Portage trust helper %s for binary packages not found\n!!! Continuing, but did you install app-portage/getuto?\n" > ) > % portage_trust_helper, > noiselevel=-1, > ) > return > ret.check_returncode()
Ah, my bad. Thinking on it more, maybe we should set TMPDIR=${PORTAGE_TMPDIR} anyway.
There are probably lots of variables we could sanitize better when dropping privileges. We have special setup for the LOGNAME variable in a couple of places: lib/portage/package/ebuild/fetch.py: env["LOGNAME"] = logname lib/portage/sync/controller.py: spawn_kwargs["env"]["LOGNAME"] = logname lib/portage/sync/controller.py: spawn_kwargs["env"]["LOGNAME"] = pw.pw_name
