[gentoo-commits] proj/portage:master commit in: man/, cnf/, pym/portage/sync/modules/rsync/

Thu, 25 Jan 2018 00:02:00 -0800 

commit:     eb98d1ac1f255a004e06debfa1611a65fdc493e2
Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Wed Jan 24 21:01:06 2018 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Thu Jan 25 08:00:07 2018 +0000
URL:        https://gitweb.gentoo.org/proj/portage.git/commit/?id=eb98d1ac

rsync: Introduce support for running full-tree gemato verification

Add two new configuration options to rsync repositories:
sync-rsync-verify-metamanifest and sync-rsync-openpgp-key-path.
The first controls whether gemato verification is run for
the repository (defaults to true for ::gentoo, false otherwise),
the second makes it possible to override the key path for custom
repositories.

Reviewed-by: Zac Medico <zmedico <AT> gentoo.org>

 cnf/repos.conf                             |  2 ++
 man/portage.5                              |  9 +++++++++
 pym/portage/sync/modules/rsync/__init__.py |  4 +++-
 pym/portage/sync/modules/rsync/rsync.py    | 20 +++++++++++++++++++-
 4 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/cnf/repos.conf b/cnf/repos.conf
index 062fc0d10..0d2b1f4be 100644
--- a/cnf/repos.conf
+++ b/cnf/repos.conf
@@ -6,6 +6,8 @@ location = /usr/portage
 sync-type = rsync
 sync-uri = rsync://rsync.gentoo.org/gentoo-portage
 auto-sync = yes
+sync-rsync-verify-metamanifest = yes
+sync-rsync-openpgp-key-path = 
/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg
 
 # for daily squashfs snapshots
 #sync-type = squashdelta

diff --git a/man/portage.5 b/man/portage.5
index e724e1f08..2d444a86f 100644
--- a/man/portage.5
+++ b/man/portage.5
@@ -1071,10 +1071,19 @@ Extra options to give to rsync on repository 
synchronization. It takes
 precedence over a declaration in [DEFAULT] section, that takes
 precedence over PORTAGE_RSYNC_EXTRA_OPTS.
 .TP
+.B sync\-rsync\-openpgp\-key\-path
+Path to the OpenPGP key(ring) used to verify MetaManifest. Used only
+if \fBsync\-rsync\-verify\-metamanifest\fR is enabled. If unset,
+the user's keyring is used.
+.TP
 .B sync-rsync-vcs-ignore = true|false
 Ignore vcs directories that may be present in the repository. It is the
 user's responsibility to set sync-rsync-extra-opts to protect vcs
 directories if appropriate.
+.TP
+.B sync\-rsync\-verify\-metamanifest = true|false
+Require the repository to contain a signed MetaManifest and verify
+it using \fBapp\-portage/gemato\fR. Defaults to false.
 
 .RE
 

diff --git a/pym/portage/sync/modules/rsync/__init__.py 
b/pym/portage/sync/modules/rsync/__init__.py
index c2fdc4188..df9a1995a 100644
--- a/pym/portage/sync/modules/rsync/__init__.py
+++ b/pym/portage/sync/modules/rsync/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2014 Gentoo Foundation
+# Copyright 2014-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 doc = """Rsync plug-in module for portage.
@@ -27,7 +27,9 @@ module_spec = {
                        'validate_config': CheckSyncConfig,
                        'module_specific_options': (
                                'sync-rsync-extra-opts',
+                               'sync-rsync-openpgp-key-path',
                                'sync-rsync-vcs-ignore',
+                               'sync-rsync-verify-metamanifest',
                                ),
                        }
                }

diff --git a/pym/portage/sync/modules/rsync/rsync.py 
b/pym/portage/sync/modules/rsync/rsync.py
index c80641ba3..47f0e1ea3 100644
--- a/pym/portage/sync/modules/rsync/rsync.py
+++ b/pym/portage/sync/modules/rsync/rsync.py
@@ -1,4 +1,4 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 import sys
@@ -82,6 +82,16 @@ class RsyncSync(NewBase):
                        self.extra_rsync_opts.extend(portage.util.shlex_split(
                                
self.repo.module_specific_options['sync-rsync-extra-opts']))
 
+               # Process GLEP74 verification options.
+               # Default verification to 'on' for ::gentoo, 'off' otherwise.
+               self.verify_metamanifest = (
+                               self.repo.module_specific_options.get(
+                                       'sync-rsync-verify-metamanifest', 
False))
+               # Default to gentoo-keys keyring.
+               self.openpgp_key_path = (
+                               self.repo.module_specific_options.get(
+                                       'sync-rsync-openpgp-key-path', None))
+
                # Real local timestamp file.
                self.servertimestampfile = os.path.join(
                        self.repo.location, "metadata", "timestamp.chk")
@@ -259,6 +269,14 @@ class RsyncSync(NewBase):
                                exitcode = EXCEEDED_MAX_RETRIES
                                break
                self._process_exitcode(exitcode, dosyncuri, out, maxretries)
+
+               # if synced successfully, verify now
+               if exitcode == 0 and self.verify_metamanifest:
+                       command = ['gemato', 'verify', '-s', self.repo.location]
+                       if self.openpgp_key_path is not None:
+                               command += ['-K', self.openpgp_key_path]
+                       exitcode = portage.process.spawn(command, 
**self.spawn_kwargs)
+
                return (exitcode, updatecache_flg)

Reply via email to