Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 443880 - app-portage/layman add gpg-signed list support
Summary: app-portage/layman add gpg-signed list support
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal enhancement with 1 vote (vote)
Assignee: Layman Overlay Manager project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-19 02:10 UTC by Brian Dolbec
Modified: 2016-01-02 01:22 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Dolbec gentoo-dev 2012-11-19 02:10:45 UTC
To tighten up security, add gpg signed repositories.xml list support.

This is a work in progress with initial gpg support in layman-9999 with an added gpg use flag enabled dep on app-portage/pyGPG-9999.  

I just realized I've probably put pyGPG in the wrong category, oops :/

In my opinion gpg support for layman-2.0.0 final should only include gentoo's repositories.xml (as well as others) gpg signed list support.

To be added in a later version:
  -  gpg signed overlay manifests
  -  additional tools for creating and verifying overlay manifests


Reproducible: Always
Comment 1 Brian Dolbec gentoo-dev 2012-11-21 08:24:33 UTC
Basic thoughts/plans so far:

Setting up a gentoo-keys project for managing gpg signing keys.  This will include some utilities for processing the keyid seed files, importing the key(s) from the key servers and verifying the keys added to a system match the seed info.  It is this keyring that will be used to verify the repositories.xml list.


I also propose adding a gpg data field to the repositories.xml with name, keyid and fingerprint (open for debate)for any overlays that will generate and include a gpg-signed MetaManifest that can be used to verify the contents of the overlay.
I will be adding tools to layman for adding the keys to the layman keyring, generating and verifying the overlay contents.  It is possible that layman will just leverage the gentoo-keys utilities for some of these operations.

app-portage/pyGPG has been moved to dev-python/pyGPG.
Comment 2 Brian Dolbec gentoo-dev 2012-12-16 16:46:01 UTC
Although I've been making progress on gentoo-keys.  I think I am going to drop this feature from a layman-2.0.0 final release.  This can go into a layman-2.0.1 when it is ready.

layman-2.0.0_rc5 has been out for a month now without any bugs reported against it.  So I would like to push it out as the final.

The gentoo-keys and pygpg pkgs will need more testing before being able to consider stabilizing them.
Comment 3 Walter 2013-01-23 03:39:01 UTC
It may be worth skimming over #387565 for some related tangents.
Comment 4 Walter 2013-01-23 03:41:24 UTC
(In reply to comment #3)
> It may be worth skimming over #387565 for some related tangents.

Erp! REALLY sorry for posting the wrong bug. Had no idea how many people were being CC'd. Apologies. The bug was https://bugs.gentoo.org/show_bug.cgi?id=453620. It's quite speculative but related. Feel like an idiot. Sorry again ;)