On venerdì 19 luglio 2019 18:21:46 CEST Ian Zimmerman wrote: > On 2019-07-18 19:42, Stefano Crocco wrote: > > Hello to everyone, > > since yesterday emerge --sync fails because it can't refresh keys. The > > messages I get are: > > > > Syncing repository 'gentoo' into '/usr/portage'... > > > > * Using keys from /usr/share/openpgp-keys/gentoo-release.asc > > * Refreshing keys via WKD ... [ !! ] > > * Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP > > keyring > > > > refresh failed: > > gpg: refreshing 4 keys from hkps://keys.gentoo.org > > gpg: keyserver refresh failed: No keyserver available > > > > OpenPGP keyring refresh failed: > > gpg: refreshing 4 keys from hkps://keys.gentoo.org > > gpg: keyserver refresh failed: No keyserver available > > Perhaps something to do with this? > > https://www.bleepingcomputer.com/news/security/public-certificate-poisoning-> can-break-some-openpgp-implementations/ > > Aside: > I have already switched my personal gpg configuration to use the new > isolated keyserver.
Thanks for the answer. I'd heard of this attack and read this [1] article on gentoo.org. From what I understand, it said that in theory there shouldn't be problems when syncing because "The gemato tool used to verify the Gentoo ebuild repository uses WKD by default. During normal operation it should not be affected by this vulnerability". Reading the article again, I now see it also says that "In the worst case; Gentoo repository syncs will be slow or hang" which, as you suggest, could very well be what's happened on my system. Unfortunately, the article doesn't say what to do if this happens. Tomorrow I'll try investigating more. Stefano [1] https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html
