Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 661518 - sys-apps/portage - ability to skip key refresh for any sync-type
Summary: sys-apps/portage - ability to skip key refresh for any sync-type
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Portage team
Keywords: InVCS
Depends on:
Blocks: 650144 721152
  Show dependency tree
Reported: 2018-07-18 15:25 UTC by Rick Farina (Zero_Chaos)
Modified: 2020-07-22 16:17 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Rick Farina (Zero_Chaos) gentoo-dev 2018-07-18 15:25:45 UTC
emerge --sync in general is smart enough to bail out and not bother syncing when the timestamp matches the mirror.  We should extend that type of check to prevent emerge --sync from refreshing keys when we aren't even going to sync anything.  This could be done timebased by checking the timestamp against current time, or by moving the key refresh to after the sync, or by any other way the portage team likes.
Comment 1 Zac Medico gentoo-dev 2018-07-18 15:36:43 UTC
We should really use the top-level Manifest file in the change detection logic, since we really can't trust the timestamp.chk file unless we've verify it with the manifests.
Comment 2 Rick Farina (Zero_Chaos) gentoo-dev 2018-07-25 01:30:21 UTC
since switching pentoo to using repos.conf and checking gpg keys, nearly 1 out of every 3 syncs fails due to either gentoo or pentoo failing to refresh keys.

Assuming having two repos checking keys makes me far more likely to hit this, it's still failing to refresh an average of 1 out of 6, and that's not great.  I believe that fixing this in some reasonable way should be a high priority.
Comment 3 Zac Medico gentoo-dev 2018-07-25 01:51:29 UTC
There's a solution to key refresh problem using WKD in gemato-9999:
Comment 4 Zac Medico gentoo-dev 2018-08-01 17:41:14 UTC
In app-portage/gemato-14.0, keys are fetched via WKD by default, and it only falls back to hkps if one or more keys in the keychain (provided by app-crypt/openpgp-keys-gentoo-release) fails to import from WKD:
Comment 5 Zac Medico gentoo-dev 2020-06-08 17:55:13 UTC
This option will need to security disclaimer since it introduces a vulnerability for compromised/revoked keys.
Comment 6 Zac Medico gentoo-dev 2020-06-12 18:16:06 UTC
The option can be independent of sync-type, just like the existing sync-openpgp-key-refresh-* options.
Comment 8 Rick Farina (Zero_Chaos) gentoo-dev 2020-06-14 02:47:46 UTC
While my code review isn't very meaningful, I hope that my testing is.  Not only does this code run and perform as expected, it exposed a problem in my key ring which was being masked by the refresh.  Thanks for the hard work, functionality wise this is precisely what I need.  Please commit when comfortable.
Comment 9 Larry the Git Cow gentoo-dev 2020-06-14 20:44:38 UTC
The bug has been referenced in the following commit(s):

commit f0206663130c5ed6af7acc8995e4bd2d78cc74fe
Author:     Zac Medico <>
AuthorDate: 2020-06-12 23:25:43 +0000
Commit:     Zac Medico <>
CommitDate: 2020-06-14 20:37:54 +0000

    repos.conf: add bool sync-openpgp-key-refresh option (bug 661518)
    Add a sync-openpgp-key-refresh option that makes it possible to
    disable key refresh, which may be useful in cases when it is not
    possible to refresh keys.
    Key refresh is enabled by default, and if it is disabled then
    the SyncBase._refresh_keys method will output an ewarn message
    like this when the --quiet option is not enabled:
     * Key refresh is disabled via a repos.conf sync-openpgp-key-refresh
     * setting, and this is a security vulnerability because it prevents
     * detection of revoked keys!
    Tested-by: Rick Farina <>
    Signed-off-by: Zac Medico <>

 lib/portage/repository/ | 10 +++++++++-
 lib/portage/sync/     |  9 ++++++++-
 man/portage.5                    |  9 ++++++++-
 3 files changed, 25 insertions(+), 3 deletions(-)
Comment 10 Larry the Git Cow gentoo-dev 2020-06-14 23:47:23 UTC
The bug has been referenced in the following commit(s):

commit 5330fc62703c0e2c535eb2ac8247d43faf501c8e
Author:     Zac Medico <>
AuthorDate: 2020-06-14 23:33:47 +0000
Commit:     Zac Medico <>
CommitDate: 2020-06-14 23:47:09 +0000

    sys-apps/portage: Bump to version 2.3.101
     #661518 repos.conf: Add bool sync-openpgp-key-refresh option
     #709746 New PORTAGE_LOG_FILTER_FILE_CMD variable specifies a
             command that filters build log output to a log file
     #719810 Escape percent-signs in mirror url
     #725934 _better_cache._scan_cat: Avoid stat calls
     #728046 ecompress: Prefix eqawarn messages with QA Notice
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Zac Medico <>

 sys-apps/portage/Manifest               |   1 +
 sys-apps/portage/portage-2.3.101.ebuild | 263 ++++++++++++++++++++++++++++++++
 2 files changed, 264 insertions(+)