On Sat, 07 Mar 2015 18:31:44 -0800 Zac Medico <zmed...@gentoo.org> wrote:
> On 03/07/2015 05:24 PM, Brian Dolbec wrote: > > On Sat, 07 Mar 2015 15:26:26 -0800 > > Zac Medico <zmed...@gentoo.org> wrote: > > > >> On 03/06/2015 09:50 AM, Mark Kubacki wrote: > >>> We're on the same side here. > >>> > >>> Do we have numbers showing the ratio "portage used with defaults" > >>> vs. where "[webrsync-gpg] is described in many hardening guides > >>> for gentoo and widely used among the security conscious" applies? > >>> > >>> DNS not being encrypted is just painting the whole picture. Point > >>> is, the default is that "emerge --sync" results in a transfer > >>> using RSYNC (or http). > >>> > >>> And by default you cannot compare the result with any > >>> authoritative source. > >>> > >> > >> Ideally, we can rely on security mechanisms built into git [1], > >> possibly involving signed commits. > >> > >> [1] https://github.com/gentoo/gentoo-portage-rsync-mirror > > > > > > Actually, git makes it nearly impossible to get the correct info > > required to re-process the git commit signature. It is all embedded > > into the commit itself, but not in a way for gpg to be able to > > re-verify it. Git relies on the issuer's gpg verification status > > which it records in it's data before the push. So, without some > > major hacking on git data, it is not viable for routine > > verification purposes. > > Maybe we can use the relatively recently added git verify-commit > command [1]. If we run that command with --verbose, then we can use > that to verify that that a commit was signed with a trusted key. > Shouldn't verification of the HEAD commit be enough to vouch for the > integrity of the entire tree? > > [1] > https://github.com/git/git/commit/d07b00b7f31d0cb6675b4bdba269ce7f087ddd24 GREAT! So, same as for push --sign, we just need to configure a replacement gpg command for git that uses gkeys instead of gpg directly. That will simplify things over the previous. A replacement gpg command is needed because of the way gkeys stores the developer keys in separate keyrings. gkeys determines which keyring to use and runs gpg with the correct settings. It is also capable of searching is db for the correct keyring to verify against as well. -- Brian Dolbec <dolsen>
