Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 480580

Summary: [Future EAPI] Support for verifying upstream signatures/checksums
Product: Gentoo Hosted Projects Reporter: Michał Górny <mgorny>
Component: PMS/EAPIAssignee: PMS/EAPI <pms>
Status: RESOLVED OBSOLETE    
Severity: enhancement CC: dolsen, esigra, mrueg, sam, tsmksubc
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 174380    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-08-11 07:31:41 UTC 
(possibly metadata.xml instead)

Currently, we're expecting the developers to manually ensure upstream tarball validity. However, considering that some upstreams do provide GPG signatures for their software and others provide various checksums, I think it would be beneficial if we were able to provide links/patterns for those checksums and PM would be able to fetch and check them.
Comment 1 Brian Dolbec gentoo-dev 2013-08-11 14:24:58 UTC 
The gentoo-keys project [1] was originally meant to manage gentoo's gpg keys.
It does this through use of seed files which contain information about the gpg key.  That info is used to download and install the gpg key(s) onto a system from a keyserver.  It then provides both an command line interface and a python API to manage those keys and perform verification of release media, git commits, etc..

Since the majority of the code will be in place already for other tasks.  It will be easy to extend it's capability to be used for packages as well.  While the normal method is for it to obtain the seed info from a seed file which can be updated from api.gentoo.org similar to the repositories.xml file for layman.  The seed info for a pkg could be added to it's metadata.xml.  The package manager would supply that info to a gkeys lib instance api function which could automatically check if the key was installed, import it if not already, then verify the contents of the sources.  Also a GPG_URI could be added (possibly) to the packages ebuild for the eclass/package manager to download.  It would be the detached gpg signature for the sources.  That signature could then be used to verify the source.  This would also provide a method of not requiring to download and create a manifest for the source. So, along the lines of a thin-manifest.  A package could be created with no need for a distfile manifest entry.


[1] http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-keys.git;a=summary
Comment 2 Sam James archtester gentoo-dev Security 2021-05-13 15:50:12 UTC 
Note that we now have verify-sig.eclass, but it's not a replacement for PMS 'support'.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-18 10:20:23 UTC 
(In reply to Sam James from comment #2)
> Note that we now have verify-sig.eclass, but it's not a replacement for PMS
> 'support'.

I don't think this fits the idea of generic/compact things we want in the PMS.  After all, verify-sig right now supports two kinds of signatures already (detached and signed *sum files), there's use of on-the-fly unpacking+verification (in vanilla-kernel), there's a request for minisig format...