Hello Is there a plan to add new option to 'emerge-delta-webrsync' for gpg verfication? Or mayby a passtrouth option to 'emerge-webrsync'? Reproducible: Always Steps to Reproduce: 1. Set FEATURES="webrsync-gpg" and PORTAGE_GPG_DIR="/path/to/valid/gnupg/setup" in make.conf 2. Do setup for 0x239C75C4 Key-ID 3. emerge-delta-webrsync Actual Results: No GPG verification when using 'emerge-delta-webrsync'. Expected Results: GPG verification when using 'emerge-delta-webrsync' like 'emerge-webrsync'.
Will be this implemented? It is inefficient to always download 44 MB file.
Created attachment 321250 [details, diff] Merge gpg support from emerge-webrsync Note that the gpg signature verification happens *after* the files are synced, since emerge-delta-webrsync generates the compressed tarball (that the signature is for) in parallel while it is syncing the files in parallel. Is that okay? Alternatively, we could force the compression to complete before the syncing, at least when FEATURES=webrsync-gpg is enabled.
Created attachment 321252 [details, diff] Merge gpg support from emerge-webrsync This version forces the compression and signature verification to complete before syncing.
WARNING: The gpg signatures are generated for *compressed* tar files, while the deltas reconstruct *uncompressed* tar files. So, the signature verification is reliant on the client's local compressor (bzip2) being able to produce perfectly identical output the compressor that's used on the server side. If this turns out to be a problem, then we can request to have separate gpg signatures generated for the uncompressed tar files.
(In reply to comment #3) > Created attachment 321252 [details, diff] [details, diff] > Merge gpg support from emerge-webrsync This is in git now: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=79674c13905962dc380ea4f951233d4cada32f5b
This is fixed in version 3.6.
It works fine. Thanks.
In case of a full fetch no verification takes place. Is it supposed to be that way? I guess not. Should that go in a separate bug report, or should this one be reopened?
(In reply to sf from comment #8) > In case of a full fetch no verification takes place. Yes, it seems that we need to call check_file_signature inside the full_version_attempt function. > Is it supposed to be that way? I guess not. > > Should that go in a separate bug report, or should this one be reopened? I'll re-open this bug.
This is fixed in git: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=24f6a9599bcf445c468022264cd6952aad4d4076
(In reply to sf from comment #8) > In case of a full fetch no verification takes place. This is fixed in emerge-delta-webrsync-3.7.0.