Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 200183

Summary: Portage snapshots no longer GPG signed after 2007-11-23, Signing Key expired !
Product: Gentoo Release Media Reporter: Thomas Sachau <tommy>
Component: EverythingAssignee: Gentoo Release Team <releng>
Status: RESOLVED FIXED    
Severity: normal CC: infra-bugs, zmedico
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://gentoo.osuosl.org/snapshots/
Whiteboard:
Package list:
Runtime testing required: ---

Description Thomas Sachau gentoo-dev 2007-11-24 14:04:59 UTC 
Since 2007-11-23 there are no signatures for portages snapshots on the mirrors. The signing key with ID 7DDAD20D expired that date, so a new key is needed.

Reproducible: Always
Comment 1 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-24 15:53:33 UTC 
Who's responsible for the portage signing key?  I've only got the release key.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-24 16:44:40 UTC 
a new key, or updating the expiry time of the existing key.

portage team: how is the existing key bundled with Portage? If I update it, can you send out a new release with it right away?
Comment 3 Zac Medico gentoo-dev 2007-11-24 17:16:37 UTC 
The key isn't bundled in portage at all. We have a patch from bug 130039 to add gpg verification support to emerge-webrsync. It doesn't check which key the snapshot is signed with, only that it has a "trusted" signature. I suppose we should have a config option that will force it to use a specific key.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2007-11-25 03:08:26 UTC 
The new signing key is 0x239C75C4. It has been exported to several PGP keyserver networks. The old keys D8BA32AA (expired 2005/Nov/11), and 7DDAD20D (expired 2007/11/23) have been marked as revoked, with the revocation messages directing users to the new keys.

Was there anywhere in CVS that we distributed the public side of these keys?
Comment 5 Andrew Gaffney (RETIRED) gentoo-dev 2008-07-12 17:06:30 UTC 
Is this one fixed then?
Comment 6 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2008-10-08 18:17:56 UTC 
well - the critical part got fixed. anything left to be done?
Comment 7 Thomas Sachau gentoo-dev 2008-10-10 20:18:51 UTC 
(In reply to comment #3)
> I suppose we
> should have a config option that will force it to use a specific key.

Anything done on this side?

(In reply to comment #4)
> The new signing key is 0x239C75C4. It has been exported to several PGP
> keyserver networks. The old keys D8BA32AA (expired 2005/Nov/11), and 7DDAD20D
> (expired 2007/11/23) have been marked as revoked, with the revocation messages
> directing users to the new keys.
> 
> Was there anywhere in CVS that we distributed the public side of these keys?
> 

If there is no such place, perhaps add it somewhere?
Comment 8 Zac Medico gentoo-dev 2008-10-10 20:44:58 UTC 
(In reply to comment #7)
> (In reply to comment #3)
> > I suppose we
> > should have a config option that will force it to use a specific key.
> 
> Anything done on this side?

Looking at the gpg manpage, I don't see any documented option that allows a specific key to be specified. I guess it doesn't matter as long as the signature is from a trusted key.
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-09-02 07:34:55 UTC 
The keys are now documented on this page:
http://www.gentoo.org/proj/en/releng/

I also updated the expiry date of the current snapshot key, so it's good for another 2 years from the previous date.