Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 598589

Summary: [Future EAPI] Add GPG --verify and/or GPG Array function in eBuilds
Product: Gentoo Hosted Projects Reporter: tonemgub
Component: PMS/EAPIAssignee: PMS/EAPI <pms>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description tonemgub 2016-10-30 18:08:02 UTC 
In Arch's PKGBUILDs it is possible to specify a GPG key which will be checked prior to extracting the source package. This is particularly useful as a secondary check of verification for third-party overlays/sources to verify upstream sources are indeed correct. It is commonly used in PCR for this purpose.
(https://wiki.archlinux.org/index.php/PKGBUILD#validpgpkeys for reference) 

I think it would be beneficial to add this feature to ebuilds to help add more security to overlays. While repoman does create a hash check, it does not verify trust via upstream .gpgsigs. This feature would allow maintainers to do so.

Thank you.
Comment 1 Ulrich Müller gentoo-dev 2016-10-30 22:07:48 UTC 
Since PMS doesn't even specify Manifest verification, this rather looks like GLEP territory (GLEP 57 to 61), not like something that should go into PMS.

*** This bug has been marked as a duplicate of bug 472594 ***
Comment 2 Brian Dolbec (RETIRED) gentoo-dev 2016-10-31 18:03:39 UTC 
For overlays, there will be a system that involves the use of gkeys from the gentoo-keys project that will be integrated into portage/layman to verify the content of a repository.

But I think these functions could be needed for other content/purposes.  The problem though involves the management of the multitude of keys being needed, their refresh updates, etc..  That is something the gentoo-keys project was formed to deal with.  There is a lot of the main code done already, but nothing has been done specifically for overlays as yet.  There is still some more work to do for the main tree which is the initial target.  Once that is in place overlays will be relatively easy to add gpg verification as the tools will be in place.