To tighten up security, add gpg signed repositories.xml list support.
This is a work in progress with initial gpg support in layman-9999 with an added gpg use flag enabled dep on app-portage/pyGPG-9999.
I just realized I've probably put pyGPG in the wrong category, oops :/
In my opinion gpg support for layman-2.0.0 final should only include gentoo's repositories.xml (as well as others) gpg signed list support.
To be added in a later version:
- gpg signed overlay manifests
- additional tools for creating and verifying overlay manifests
Basic thoughts/plans so far:
Setting up a gentoo-keys project for managing gpg signing keys. This will include some utilities for processing the keyid seed files, importing the key(s) from the key servers and verifying the keys added to a system match the seed info. It is this keyring that will be used to verify the repositories.xml list.
I also propose adding a gpg data field to the repositories.xml with name, keyid and fingerprint (open for debate)for any overlays that will generate and include a gpg-signed MetaManifest that can be used to verify the contents of the overlay.
I will be adding tools to layman for adding the keys to the layman keyring, generating and verifying the overlay contents. It is possible that layman will just leverage the gentoo-keys utilities for some of these operations.
app-portage/pyGPG has been moved to dev-python/pyGPG.
Although I've been making progress on gentoo-keys. I think I am going to drop this feature from a layman-2.0.0 final release. This can go into a layman-2.0.1 when it is ready.
layman-2.0.0_rc5 has been out for a month now without any bugs reported against it. So I would like to push it out as the final.
The gentoo-keys and pygpg pkgs will need more testing before being able to consider stabilizing them.
It may be worth skimming over #387565 for some related tangents.
(In reply to comment #3)
> It may be worth skimming over #387565 for some related tangents.
Erp! REALLY sorry for posting the wrong bug. Had no idea how many people were being CC'd. Apologies. The bug was https://bugs.gentoo.org/show_bug.cgi?id=453620. It's quite speculative but related. Feel like an idiot. Sorry again ;)