emerge --sync in general is smart enough to bail out and not bother syncing when the timestamp matches the mirror. We should extend that type of check to prevent emerge --sync from refreshing keys when we aren't even going to sync anything. This could be done timebased by checking the timestamp against current time, or by moving the key refresh to after the sync, or by any other way the portage team likes.
We should really use the top-level Manifest file in the change detection logic, since we really can't trust the timestamp.chk file unless we've verify it with the manifests.
since switching pentoo to using repos.conf and checking gpg keys, nearly 1 out of every 3 syncs fails due to either gentoo or pentoo failing to refresh keys. Assuming having two repos checking keys makes me far more likely to hit this, it's still failing to refresh an average of 1 out of 6, and that's not great. I believe that fixing this in some reasonable way should be a high priority.
There's a solution to key refresh problem using WKD in gemato-9999: https://archives.gentoo.org/gentoo-portage-dev/message/d9da2aabcf0e1b9c798dddb315a0b69d
In app-portage/gemato-14.0, keys are fetched via WKD by default, and it only falls back to hkps if one or more keys in the keychain (provided by app-crypt/openpgp-keys-gentoo-release) fails to import from WKD: https://github.com/mgorny/gemato/commit/909390c25a0ab589a4ae10d20cb9e321a51163b2
This option will need to security disclaimer since it introduces a vulnerability for compromised/revoked keys.
The option can be independent of sync-type, just like the existing sync-openpgp-key-refresh-* options.
Patch posted for review: https://archives.gentoo.org/gentoo-portage-dev/message/b95731b43fc16088590de966fa4421d3 https://github.com/gentoo/portage/pull/557
While my code review isn't very meaningful, I hope that my testing is. Not only does this code run and perform as expected, it exposed a problem in my key ring which was being masked by the refresh. Thanks for the hard work, functionality wise this is precisely what I need. Please commit when comfortable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=f0206663130c5ed6af7acc8995e4bd2d78cc74fe commit f0206663130c5ed6af7acc8995e4bd2d78cc74fe Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-06-12 23:25:43 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-06-14 20:37:54 +0000 repos.conf: add bool sync-openpgp-key-refresh option (bug 661518) Add a sync-openpgp-key-refresh option that makes it possible to disable key refresh, which may be useful in cases when it is not possible to refresh keys. Key refresh is enabled by default, and if it is disabled then the SyncBase._refresh_keys method will output an ewarn message like this when the --quiet option is not enabled: * Key refresh is disabled via a repos.conf sync-openpgp-key-refresh * setting, and this is a security vulnerability because it prevents * detection of revoked keys! Tested-by: Rick Farina <zerochaos@gentoo.org> Bug: https://bugs.gentoo.org/661518 Signed-off-by: Zac Medico <zmedico@gentoo.org> lib/portage/repository/config.py | 10 +++++++++- lib/portage/sync/syncbase.py | 9 ++++++++- man/portage.5 | 9 ++++++++- 3 files changed, 25 insertions(+), 3 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5330fc62703c0e2c535eb2ac8247d43faf501c8e commit 5330fc62703c0e2c535eb2ac8247d43faf501c8e Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-06-14 23:33:47 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-06-14 23:47:09 +0000 sys-apps/portage: Bump to version 2.3.101 #661518 repos.conf: Add bool sync-openpgp-key-refresh option #709746 New PORTAGE_LOG_FILTER_FILE_CMD variable specifies a command that filters build log output to a log file #719810 Escape percent-signs in mirror url #725934 _better_cache._scan_cat: Avoid stat calls #728046 ecompress: Prefix eqawarn messages with QA Notice Bug: https://bugs.gentoo.org/721152 Bug: https://bugs.gentoo.org/661518 Bug: https://bugs.gentoo.org/709746 Bug: https://bugs.gentoo.org/719810 Bug: https://bugs.gentoo.org/725934 Bug: https://bugs.gentoo.org/728046 Package-Manager: Portage-2.3.101, Repoman-2.3.22 Signed-off-by: Zac Medico <zmedico@gentoo.org> sys-apps/portage/Manifest | 1 + sys-apps/portage/portage-2.3.101.ebuild | 263 ++++++++++++++++++++++++++++++++ 2 files changed, 264 insertions(+)