Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 659250

Summary: 'Manifest mismatch for metadata/glsa/Manifest' after `emaint sync -r gentoo --sync-submodule glsa`
Product: Portage Development Reporter: Nuno <>
Component: UnclassifiedAssignee: Portage team <dev-portage>
Status: CONFIRMED ---    
Severity: normal CC: bernardofpc
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 650144    
Attachments: emerge --info

Description Nuno 2018-06-26 16:07:22 UTC
Created attachment 537284 [details]
emerge --info

When running `emaint sync -r gentoo --sync-submodule glsa`, the following message appears (if the portage tree is not already up-to-date):

 * Verifying /usr/portage ...!!! Manifest verification failed:
Manifest mismatch for metadata/glsa/Manifest
  BLAKE2B: expected: fda02a1ae593b985b50b2f5c6da01d8d7ac30d00fe0520a79e3d3eb092a2cda0a9632d6ae689f43cfe653ae5c07a3caa14aa89faca63d1a07e64a74b2e540fae, have: d34241568d14c06cac92ce77948773230fd22dabceac7b07978f672d051e7b72f9cb9d64150e6687a60945509461230718b5d85b35c6b5710313650338681835
  SHA512: expected: 2e5ed1b1d1b75237e52c230cc0a7f799cd7319626c05766d76d0d45f257576f23b94e3dc606ef2c67865734481e820e1dd633efa5cd03674c4ede7fd9041fb8d, have: c2f458eeaa1807c9db1a77256070a850df012a7c2ad06fd4b7d09f214d8027021488b1382cef483182f51effe5c66d68f3016cd73a28e937069b4dc542deaea6

This happens because the hashes for 'metadata/glsa/Manifest' are in 'metadata/Manifest.gz', which (I guess) is not updated by `--sync-submodule glsa`. However, simply syncing the parent Manifests (e.g. 'metadata/Manifest.gz', 'Manifest.files.gz' and 'Manifest') would not work since it would mess up the hashes of other files in the portage tree which were not synced.

Using sys-apps/portage-2.3.40-r1 with USE="ipc native-extensions rsync-verify xattr" PYTHON_TARGETS="python3_6"
Comment 1 Zac Medico gentoo-dev 2018-06-27 15:09:53 UTC
GLEP 74 says "The sub-Manifest can also be signed using OpenPGP armored cleartext format" here:

In fact, the glsa subdirectory does have a signed Manifest file, so we can make gemato verify it independently.
Comment 2 Jonas Stein gentoo-dev 2018-08-19 08:58:45 UTC
*** Bug 663962 has been marked as a duplicate of this bug. ***