Hi! I have repositories configured for git-based gpg verification, e.g.: [bircoph] priority = 50 location = /var/lib/overlays/bircoph sync-type = git sync-uri = git://anongit.gentoo.org/dev/bircoph.git sync-hooks-only-on-change = true sync-depth = 1 sync-git-verify-commit-signature = true sync-openpgp-key-path = /var/lib/gentoo/gkeys/keyrings/overlays/bircoph.asc And I observe the following behaviour if key refresh fails: # emaint sync -r bircoph >>> Syncing repository 'bircoph' into '/var/lib/overlays/bircoph'... /usr/bin/git fetch origin --depth 1 remote: Total 0 (delta 0), reused 0 (delta 0) * Using keys from /var/lib/gentoo/gkeys/keyrings/overlays/bircoph.asc * Refreshing keys from keyserver ...!!! Verification impossible due to keyring problem: OpenPGP keyring refresh failed: gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net gpg: keyserver refresh failed: No data === Sync completed for bircoph Action: sync for repo: bircoph, returned code = 0 So: 1. No gpg check is performed even with available version of the key. 2. Sync result is OK! Return code 0. This should not happen, either fail sync or at least check with non-updated key (and warn user approiately). The latter is worse than former, as key may be revoked, but in case of frequent keyserver failures it is still better than no check at all or failing each sync. I use portage-2.3.43, gemato-13.1, gnupg-2.2.9.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=dc1ba7729c42cbe738ae7ec34e2f13f79c48d41c commit dc1ba7729c42cbe738ae7ec34e2f13f79c48d41c Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2018-07-23 18:46:08 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2018-07-23 18:51:02 +0000 git: fix key refresh failure to trigger abort (bug 661906) Fix the verify_head method to appropriately return a bool value instead of a tuple. Fixes: d30191b887bb ("git: Support running the verification against sync-openpgp-key-path") Bug: https://bugs.gentoo.org/661906 lib/portage/sync/modules/git/git.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=de9801740fcbdb80c582308d7a4f2fef6b2b6aed commit de9801740fcbdb80c582308d7a4f2fef6b2b6aed Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2018-07-23 19:58:03 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2018-07-23 19:58:03 +0000 git: add missing return statement in fix for bug 661906 Fixes: dc1ba7729c42 ("git: fix key refresh failure to trigger abort (bug 661906)") Bug: https://bugs.gentoo.org/661906 lib/portage/sync/modules/git/git.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a11e6079130d61d8d8297215ffea32e2743cbd0 commit 2a11e6079130d61d8d8297215ffea32e2743cbd0 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2018-07-23 20:02:42 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2018-07-23 20:09:18 +0000 sys-apps/portage: revbump to 2.3.43-r1 #661834 - synced files owned by root #661906 - git sync continues despite key refresh failure Bug: https://bugs.gentoo.org/661834 Bug: https://bugs.gentoo.org/661906 Package-Manager: Portage-2.3.43, Repoman-2.3.10 .../portage/{portage-2.3.43.ebuild => portage-2.3.43-r1.ebuild} | 8 ++++++++ 1 file changed, 8 insertions(+)
Thanks! That was fast :)