On Thu, Jan 25, 2018 at 3:45 PM, Michał Górny <[email protected]> wrote: > W dniu czw, 25.01.2018 o godzinie 21∶37 +0000, użytkownik Robin H. > Johnson napisał: >> On Thu, Jan 25, 2018 at 01:35:17PM +0100, Michał Górny wrote: >> > Title: Portage rsync tree verification >> > Author: Michał Górny <[email protected]> >> > Posted: 2018-01-xx >> > Revision: 1 >> > News-Item-Format: 2.0 >> > Display-If-Installed: <sys-apps/portage-2.3.21 >> >> Drop Display-If-Installed, they need to always see this until they know >> it was bootstrapped. > > Well, the idea was that if someone starts with stage that has >2.3.21, > then he has bootstrapped via verifying the stage signature. > >> > Starting with sys-apps/portage-2.3.22, Portage enables cryptographic >> > verification of the Gentoo rsync repository distributed over rsync >> > by default. >> >> Seems very wordy, suggested cleanup: >> > > Starting with sys-apps/portage-2.3.22, Portage will verify the Gentoo >> > > repository after rsync by default. >> > This aims to prevent malicious third parties from altering >> > the contents of the ebuild repository received by our users. >> > >> > This does not affect users syncing using git and other methods. >> > Appropriate verification mechanisms for them will be provided >> > in the future. >> >> Note that emerge-webrsync has verification via FEATURES=webrsync-gpg? > > I'm sorry, I have never used that. Does it cover full key maintenance > or rely on user to do the gpg work? >
It used to be necessary to set up a GnuPG home for portage and pull the keys in, but now users can emerge app-crypt/gentoo-keys and set PORTAGE_GPG_DIR="/var/lib/gentoo/gkeys/keyrings/gentoo/release". >> >> Rewrite: >> > > The new verification is intended for users who syncing via rsync. >> > > Users who sync by emerge-webrsync should see [linkref]. >> > > Verification mechanisms for other methods of sync will be provided in >> > > future. >> >> >> > On Gentoo installations created using installation media that included >> > portage-2.3.22, the keys will already be covered by the installation >> > media signatures. On existing installations, you need to manually >> > compare the primary key fingerprint (reported by gemato on every sync) >> > against the official Gentoo keys [1]. An example gemato output is: >> > INFO:root:Valid OpenPGP signature found: >> > INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678 >> > INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09 >> >> Either we should use real key here, or specifically note this is a fake >> key output on purpose. > > Well, I've assumed most people would be able to figure out that it would > be quite a coincidence to see such a key id. I wanted to avoid putting > the real id so that people would actually check that HTTPS site instead > of relying on the security of news item delivery. > > Will send an updated version tomorrow. > > -- > Best regards, > Michał Górny > >
