Summary: | sys-apps/portage: make emerge-webrsync use app-crypt/gkeys to automatically establish trust for gpg signature verification | ||
---|---|---|---|
Product: | Portage Development | Reporter: | Zac Medico <zmedico> |
Component: | Core - Interface (emerge) | Assignee: | Portage team <dev-portage> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | burcheri.massimo+bugs-gentoo, esigra, gkeys, kfm, nbowler, treecleaner, tsmksubc, vladimir.rusinov |
Priority: | Normal | Keywords: | PATCH, PMASKED |
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=689506 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 453620 | ||
Bug Blocks: | 240187, 597800 | ||
Deadline: | 2020-05-19 |
Description
Zac Medico
2016-10-23 20:30:55 UTC
This combination of commands appears to do the job, tested with app-crypt/gkeys-0.2, assuming that tree snapshot and corresponding .gpgsig file have been downloaded to the same directory: # fetch the latest key and revocation data gkeys refresh-key -C gentoo -n snapshot # check the key to make sure that it's valid gkeys check-key -C gentoo -n snapshot # verify the snapshot gkeys verify -C gentoo -n snapshot -F $DISTDIR/portage-20161023.tar.bz2 (In reply to Zac Medico from comment #1) > # check the key to make sure that it's valid > gkeys check-key -C gentoo -n snapshot The above command fails as follows: # gkeys check-key -C gentoo -n snapshot Checking keys... snapshot, Gentoo Tree Snapshot (Automated) Signing Key: 0xDB6B8C1F96D8BF6D ============================================== Gkey task results: Found: ------- Expired: 0 Revoked: 0 Invalid: 0 No signing capable subkeys: 0 # echo $? 1 There's a patch in the following branch: https://github.com/zmedico/portage/tree/bug_597918 However, it doesn't work because of the gkeys check-key failure shown in comment #2. There's a fix for the gkeys check-key issue here: https://github.com/gentoo/gentoo-keys/pull/53 I've removed the call to gkeys check-key, since we want to treat signatures as valid as long as they were created while the key was still valid. Patch posted for review: https://archives.gentoo.org/gentoo-portage-dev/message/8f2be5bfa699498c92d6b432621e1b87 https://github.com/gentoo/portage/pull/64 This is in the master branch: https://gitweb.gentoo.org/proj/portage.git/commit/?id=98c250cceaf380d6dbeacac90482a5d1956dcb80 (In reply to Zac Medico from comment #7) > This is in the master branch: > > https://gitweb.gentoo.org/proj/portage.git/commit/ > ?id=98c250cceaf380d6dbeacac90482a5d1956dcb80 We need a stabilized release of app-crypt/gkeys, or else we should revert this until we have one. Yeah, we need to fix a few things and make a new release. So, yeah, probably best to revert this in master, leave it in a branch we can add the meta-manifest stuff to as well, then we can co-ordinate with gkeys release when both are ready. Then get them both stabled together. Reverted: https://gitweb.gentoo.org/proj/portage.git/commit/?id=405ab9faa09efd3ee97f83a6c791188162831c75 app-crypt/gkeys is last rited now. By default, we use gemato for key refresh since bug 689506. |