Bug 691722

Summary:	Allow signature verification of portage tree for offline systems
Product:	Portage Development	Reporter:	Nikolay <nikolay.p>
Component:	Unclassified	Assignee:	Portage team <dev-portage>
Status:	UNCONFIRMED ---
Severity:	normal	CC:	esigra, leonchik1976
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	240187

Description Nikolay 2019-08-07 22:57:18 UTC

emerge --info:

Portage 2.3.69 (python 3.6.5-final-0, default/linux/amd64/17.1, gcc-8.3.0, glibc-2.29-r2, 4.4.180-gentoo x86_64)
=================================================================
System uname: Linux-4.4.180-gentoo-x86_64-Intel-R-_Xeon-R-_CPU_X3430_@_2.40GHz-with-gentoo-2.6
KiB Mem:    16424844 total,   2150948 free
KiB Swap:   10485692 total,  10485692 free
Timestamp of repository gentoo: Tue, 30 Jul 2019 00:45:01 +0000
sh bash 4.4_p23-r1
ld GNU ld (Gentoo 2.31.1 p7) 2.31.1
app-shells/bash:          4.4_p23-r1::gentoo
dev-lang/perl:            5.28.2-r1::gentoo
dev-lang/python:          2.7.15::gentoo, 3.6.5::gentoo
dev-util/cmake:           3.14.3::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.6-r1::gentoo
sys-apps/openrc:          0.41.2::gentoo
sys-apps/sandbox:         2.13::gentoo
sys-devel/autoconf:       2.69-r4::gentoo
sys-devel/automake:       1.13.4-r2::gentoo, 1.15.1-r2::gentoo, 1.16.1-r1::gentoo
sys-devel/binutils:       2.31.1-r6::gentoo
sys-devel/gcc:            8.3.0-r1::gentoo
sys-devel/gcc-config:     2.0::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 4.14-r1::gentoo (virtual/os-headers)
sys-libs/glibc:           2.29-r2::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: webrsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-webrsync-verify-signature: true

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind /var/lib/redmine/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.2/ext-active/ /etc/php/apache2-php7.3/ext-active/ /etc/php/cgi-php7.2/ext-active/ /etc/php/cgi-php7.3/ext-active/ /etc/php/cli-php7.2/ext-active/ /etc/php/cli-php7.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /var/lib/redmine/config/locales /var/lib/redmine/config/settings.yml"
CXXFLAGS="-O2 -pipe -march=native"
DISTDIR="/usr/portage/distfiles"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://gentoo.mirrors.pair.com http://mirror.lug.udel.edu/pub/gentoo http://www.gtlib.gatech.edu/pub/gentoo"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl amd64 berkdb bzip2 cdr cli consolekit crypt cxx dbus declarative dri extensions faac fortran gd gdbm iconv libtirpc multilib ncurses nptl open_perms openmp pam pcre peer_perms postgres readline seccomp split-usr sql ssl tcpd threads ubac udev unicode webkit xattr zlib" ABI_X86="64" ALSA_CARDS="hda-intel usb-audio" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_core authn_dbm authn_file authz_core authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation proxy proxy_fcgi proxy_connect proxy_http proxy_html rewrite setenvif socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias xml2enc" APACHE2_MPMS="worker" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby24" USERLAND="GNU" VIDEO_CARDS="evdev fbdev fglrx intel mga vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

An offline Gentoo installation seem to be unable to use the tree verification security feature. The portage is synced with webrsync via HTTP proxy (no Internet access).

Up until last update of the portage that method worked.

After last update the emerge --sync is trying to refresh keys via WKD and fails because the system is offline.

Would it be possible to allow such offline Gentoo systems to successfully sync the tree and verify the signature without trying to refresh the keys from the keyserver?

Turning off the verification process compromises security.

Comment 1 Nikolay 2019-08-07 23:13:48 UTC

Related forum threads:

https://forums.gentoo.org/viewtopic-t-1100320.html
https://forums.gentoo.org/viewtopic-p-8228304.html

Comment 2 Hank Leininger 2019-08-12 20:51:33 UTC

I had the same problem - isolated environments that worked for years until the emerge-webrsync + webrsync-gpg -> emerge --sync + sync-webrsync-verify-signature change.

In my case I control the proxy so was able to allow the Gentoo keyservers.

In your case, I wonder, as a workaround could you fake things out by setting up an internal webserver and use internal DNS or /etc/hosts records to direct your internal systems there to fetch key "updates"?  (I don't know if gemato will be too smart to be fooled by that, if you'd have to stuff your own CA cert in place, etc.)

If/when you do get past that, watch out for https://bugs.gentoo.org/691434 as well: emerge-webrsync in a cron job picks up proxy settings just fine, but emerge --sync does not; workaround in that bug report.

Comment 3 Zac Medico gentoo-dev

2019-08-12 21:00:06 UTC

(In reply to Nikolay from comment #0)
> An offline Gentoo installation seem to be unable to use the tree
> verification security feature. The portage is synced with webrsync via HTTP
> proxy (no Internet access).
> 
> Up until last update of the portage that method worked.
> 
> After last update the emerge --sync is trying to refresh keys via WKD and
> fails because the system is offline.

If you can sync via HTTP proxy, then hopefully the WKD key refresh can use the same HTTP proxy.

> Would it be possible to allow such offline Gentoo systems to successfully
> sync the tree and verify the signature without trying to refresh the keys
> from the keyserver?
> 
> Turning off the verification process compromises security.

Skipping the key refresh also compromises security, since the "trusted" key may have been revoked without your knowledge. We do not want to provide you with a false sense of security, since that is equivalent to a security vulnerability.

Comment 4 Nikolay 2019-08-12 21:51:17 UTC

(In reply to Zac Medico from comment #3)
> 
> If you can sync via HTTP proxy, then hopefully the WKD key refresh can use
> the same HTTP proxy.

This will work if key refresh process does not involve use of HTTPS. This is an HTTP-only white-list proxy. Unfortunately it is outside of my control.

> 
> Skipping the key refresh also compromises security, since the "trusted" key
> may have been revoked without your knowledge. We do not want to provide you
> with a false sense of security, since that is equivalent to a security
> vulnerability.

I agree.

However, there can be an option that needs to be explicitly enabled for this. I thought this would be in Gentoo's spirit to allow full customization of the system for those who understand the risk involved. Key revocation can be announced on the maillist the same way GLSA do get announced.

For emerge-webrsync which is performed once in 24 hours this could provide sufficient level of security.

If I understand correctly, even when key refresh happens every time when emerge --sync is invoked there still exist a chance that an attacker would compromise the key and introduce malicious content into the portage which will propagate to some users before Gentoo dev team will revoke the key.

Comment 5 Zac Medico gentoo-dev

2019-08-12 22:01:35 UTC

Sure, we can add a repos.conf setting to skip the key refresh, as long as the documentation includes a sufficient warning about the security implications with respect to key revocation.

Comment 6 Fabian Groffen gentoo-dev

2019-08-13 06:16:25 UTC

(In reply to Nikolay from comment #0)
> An offline Gentoo installation seem to be unable to use the tree
> verification security feature. The portage is synced with webrsync via HTTP
> proxy (no Internet access).
>
> Up until last update of the portage that method worked.
> 
> After last update the emerge --sync is trying to refresh keys via WKD and
> fails because the system is offline.
> 
> Would it be possible to allow such offline Gentoo systems to successfully
> sync the tree and verify the signature without trying to refresh the keys
> from the keyserver?
> 
> Turning off the verification process compromises security.

Just FYI, qmanifest from >=portage-utils-0.80* can verify your tree separately, it doesn't do key-refresh, so you'll have to ensure it is up-to-date yourself.  (If it can't verify the signature, it continues nevertheless to tell you whether your tree apart from the signature is fine).