Summary: | emerge-delta-webrsync / infra: need to add GPG signature of uncompressed tarball rather than compressed one | ||
---|---|---|---|
Product: | Portage Development | Reporter: | sf <sf-gentoo> |
Component: | Tools | Assignee: | Portage Tools Team <tools-portage> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | infra-bugs, ncl |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=574752 https://bugs.gentoo.org/show_bug.cgi?id=286373 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
sf
2016-02-05 11:19:51 UTC
Try: gpg --refresh-keys This is not bug 570734. My keys are up to date: # gpg --homedir /etc/portage/gnupg --list-keys /etc/portage/gnupg/pubring.gpg ------------------------------ pub 4096R/96D8BF6D 2011-11-25 [expires: 2016-07-01] uid [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key) sub 4096R/C9189250 2011-11-25 [expires: 2016-07-01] This is not a key issue; the tarball emerge-delta-webrsync produces is different from the original. md5sums: 2852f5b070e5db382c22bdef98350ffa /var/tmp/portage/delta-webrsync-F3zQ9V/portage-20160205.tar.bz2 2d54187ce61a7599f7a0017676b5f36a portage-20160205.tar.bz2 After bunzip2: 0d4e56b12f1b9cfae871d7a5b59c5a39 portage-20160205-diff.tar 0d4e56b12f1b9cfae871d7a5b59c5a39 portage-20160205-orig.tar sha256sums just in case: 29d3f073e6bc1a1dd2c5f7d453dedab5c9183b8043a055ce438a4e0d3ad70916 portage-20160205-diff.tar 29d3f073e6bc1a1dd2c5f7d453dedab5c9183b8043a055ce438a4e0d3ad70916 portage-20160205-orig.tar bzip2 -vk9 (as emerge-delta-webrsync uses) yeilds the same file (expected): 2852f5b070e5db382c22bdef98350ffa portage-20160205-diff.tar.bz2 lbzip2 -k9 yeilds: 2d54187ce61a7599f7a0017676b5f36a portage-20160205-diff.tar.bz2 Which matches the bz2 in the repos. So, it appears emerge-delta-webrsync users now needs to start using lbzip2. Relying on specific output from recompression is a bad idea. I think we should start providing a GPG signature of the uncompressed tarball, and emerge-delta-webrsync should verify that instead. I've updated the scripts now, so hopefully the next snapshot will work again. Please let me know if that's the case but don't close the bug since we really need to update the way e-d-w verifies tarballs. emerge-delta-webrsync could successfully create portage-20160208.tar.bz2 from portage-20160207.tar.bz2. Thanks for your effort, Michał. (In reply to Michał Górny from comment #5) > I've updated the scripts now, so hopefully the next snapshot will work > again. Please let me know if that's the case but don't close the bug since > we really need to update the way e-d-w verifies tarballs. Heh, Zac mentioned this a while ago in bug 286373 too. |