Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 597918 - sys-apps/portage: make emerge-webrsync use app-crypt/gkeys to automatically establish trust for gpg signature verification
Summary: sys-apps/portage: make emerge-webrsync use app-crypt/gkeys to automatically e...
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core - Interface (emerge) (show other bugs)
Hardware: All All
: Normal normal with 2 votes (vote)
Deadline: 2020-05-19
Assignee: Portage team
URL:
Whiteboard:
Keywords: PATCH, PMASKED
Depends on: 453620
Blocks: 240187 597800
  Show dependency tree
 
Reported: 2016-10-23 20:30 UTC by Zac Medico
Modified: 2020-04-19 18:47 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Zac Medico gentoo-dev 2016-10-23 20:30:55 UTC 
Ideally, emerge-webrsync would verify gpg signatures by default. However, current support for FEATURES=webrsync-gpg requires users to manually establish trust, as described here:

https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots

Using app-crypt/gkeys (and keys installed by app-crypt/gentoo-keys), it is possible to automatically establish trust, which will provide the convenience necessary to enable gpg signature verification by default.
Comment 1 Zac Medico gentoo-dev 2016-10-24 04:21:31 UTC 
This combination of commands appears to do the job, tested with app-crypt/gkeys-0.2, assuming that tree snapshot and corresponding .gpgsig file have been downloaded to the same directory:

# fetch the latest key and revocation data
gkeys refresh-key -C gentoo -n snapshot

# check the key to make sure that it's valid
gkeys check-key -C gentoo -n snapshot

# verify the snapshot
gkeys verify -C gentoo -n snapshot -F $DISTDIR/portage-20161023.tar.bz2
Comment 2 Zac Medico gentoo-dev 2016-10-24 05:33:09 UTC 
(In reply to Zac Medico from comment #1)
> # check the key to make sure that it's valid
> gkeys check-key -C gentoo -n snapshot

The above command fails as follows:

# gkeys check-key -C gentoo -n snapshot

 Checking keys...


  snapshot, Gentoo Tree Snapshot (Automated) Signing Key: 0xDB6B8C1F96D8BF6D
  ==============================================


 Gkey task results:
    
Found:
-------
    Expired: 0
    Revoked: 0
    Invalid: 0
    No signing capable subkeys: 0

# echo $?
1
Comment 3 Zac Medico gentoo-dev 2016-10-24 05:37:48 UTC 
There's a patch in the following branch:

https://github.com/zmedico/portage/tree/bug_597918

However, it doesn't work because of the gkeys check-key failure shown in comment #2.
Comment 4 Zac Medico gentoo-dev 2016-10-24 05:52:40 UTC 
There's a fix for the gkeys check-key issue here:

https://github.com/gentoo/gentoo-keys/pull/53
Comment 5 Zac Medico gentoo-dev 2016-10-27 17:19:14 UTC 
I've removed the call to gkeys check-key, since we want to treat signatures as valid as long as they were created while the key was still valid.
Comment 8 Zac Medico gentoo-dev 2016-11-07 07:47:02 UTC 
(In reply to Zac Medico from comment #7)
> This is in the master branch:
> 
> https://gitweb.gentoo.org/proj/portage.git/commit/
> ?id=98c250cceaf380d6dbeacac90482a5d1956dcb80

We need a stabilized release of app-crypt/gkeys, or else we should revert this until we have one.
Comment 9 Brian Dolbec (RETIRED) gentoo-dev 2016-11-07 20:37:53 UTC 
Yeah, we need to fix a few things and make a new release.

So, yeah, probably best to revert this in master, leave it in a branch we can add the meta-manifest stuff to as well, then we can co-ordinate with gkeys release when both are ready.  Then get them both stabled together.
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-04-19 12:12:28 UTC 
app-crypt/gkeys is last rited now.
Comment 12 Zac Medico gentoo-dev 2020-04-19 18:47:35 UTC 
By default, we use gemato for key refresh since bug 689506.