Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Validated Gentoo repository snapshots
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Thu Feb 23, 2017 7:15 am    Post subject: Validated Gentoo repository snapshots Reply with quote

Hi, I'm testing #Validated_Gentoo_repository_snapshots, added the key to trusted, but I still get
Code:
Checking signature ...
gpg: Signature made Do 23 Feb 2017 01:51:47 CET
gpg:                using RSA key EC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
     Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F  DF1C EC59 0EEA C918 9250
Getting snapshot timestamp ...
Syncing local tree ...

Then why is the sync done at all if not trusted?
I doesn't matter which trust decision I set, even if I don't trust, the sync is always done:
Code:
# gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --edit-key 0xDB6B8C1F96D8BF6D trust
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa4096/DB6B8C1F96D8BF6D
     created: 2011-11-25  expires: 2018-07-01  usage: C   
     trust: never         validity: unknown
sub  rsa4096/EC590EEAC9189250
     created: 2011-11-25  expires: 2018-07-01  usage: S   
[ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing Key)

pub  rsa4096/DB6B8C1F96D8BF6D
     created: 2011-11-25  expires: 2018-07-01  usage: C   
     trust: never         validity: unknown
sub  rsa4096/EC590EEAC9189250
     created: 2011-11-25  expires: 2018-07-01  usage: S   
[ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing Key)

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 2

pub  rsa4096/DB6B8C1F96D8BF6D
     created: 2011-11-25  expires: 2018-07-01  usage: C   
     trust: never         validity: unknown
sub  rsa4096/EC590EEAC9189250
     created: 2011-11-25  expires: 2018-07-01  usage: S   
[ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing Key)
Code:
# rm -f /usr/portage/metadata/timestamp.x
removed '/usr/portage/metadata/timestamp.x'

# emaint sync --repo gentoo
>>> Syncing repository 'gentoo' into '/usr/portage'...
Fetching most recent snapshot ...
Trying to retrieve 20170222 snapshot from http://ftp.halifax.rwth-aachen.de/gentoo ...
Fetching file portage-20170222.tar.xz.md5sum ...
Fetching file portage-20170222.tar.xz.gpgsig ...
Fetching file portage-20170222.tar.xz ...
Checking digest ...
Checking signature ...
gpg: Signature made Do 23 Feb 2017 01:51:47 CET
gpg:                using RSA key EC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
     Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F  DF1C EC59 0EEA C918 9250
Getting snapshot timestamp ...
Syncing local tree ...


I often thought about how easy it could be to get infected by malware if the repository is hijacked. Moving all portage repos to github the security is even concentrated on that 3rd party service. So signing the snapshots is the right way. It is still unclear what quality assurance it performed for a signature. If developers are just pushing and pulling with the github repo as central point, then the daily signature would easily validate such malware as well.
Checksumming the single packages is one level, but a hijacked portage tree would link to a valid checksummed malware repository.
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
shrike
Apprentice
Apprentice


Joined: 20 Feb 2004
Posts: 150
Location: Closer to home

PostPosted: Thu Feb 23, 2017 3:37 pm    Post subject: Reply with quote

Quote:

I often thought about how easy it could be to get infected by malware if the repository is hijacked. Moving all portage repos to github the security is even concentrated on that 3rd party service. So signing the snapshots is the right way. It is still unclear what quality assurance it performed for a signature. If developers are just pushing and pulling with the github repo as central point, then the daily signature would easily validate such malware as well.
Checksumming the single packages is one level, but a hijacked portage tree would link to a valid checksummed malware repository.



Agreed!

There is an open portage bug (https://bugs.gentoo.org/show_bug.cgi?id=597918) concerning the 'validated snapshots' feature but I don't know if this is what's causing your problem Massimo B.

Thanks for bringing this feature to my attn.

shrike
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Fri Feb 24, 2017 8:18 am    Post subject: Reply with quote

I was also pleased to get to know this security feature.

The bug seems to be about an easier key management using gkeys. Establishing trust manually should already work. But I wonder that switching the trust does not make any difference as shown in my example. Maybe I'm doing it wrong. I'd like to see a sync WARNING and early EXIT if the signature has failed.
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Fri Feb 24, 2017 8:24 am    Post subject: Reply with quote

When talking about the Portage security in general:
The portage tree snapshot is secured by GPG key of 4096-bit RSA.

What about the files downloaded? Those are all checksummed via the Manifest file. Looking there I see for every downloaded file of all ebuilds available on that package some Filesize+SHA256+SHA512+WHIRLPOOL hash. Which of those is checked? All or configuration related?
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6921

PostPosted: Fri Feb 24, 2017 10:34 pm    Post subject: Reply with quote

Yes those are all checked by default, see man 5 portage -> "manifest-hashes".
Back to top
View user's profile Send private message
Genone
Retired Dev
Retired Dev


Joined: 14 Mar 2003
Posts: 9245
Location: beyond the rim

PostPosted: Tue Feb 28, 2017 8:01 am    Post subject: Reply with quote

By default all hashes are checked for all files. It's possible though to only require one valid hash for purely descriptive files (e.g. metadata.xml or changelogs) by changing the strict-misc-digests property of a repository.
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Wed Mar 22, 2017 6:21 am    Post subject: Reply with quote

shrike wrote:
Thanks for bringing this feature to my attn.
For those interested in overlays I found these options in /etc/layman/layman.cfg: gpg_signed_lists, gpg_detached_lists
The official list is not signed and I have never seen an overlay list using that. Are there more official or inofficial overlay lists beside the layman-owned out there?
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Fri Mar 24, 2017 7:08 am    Post subject: Reply with quote

So again, shouldn't this warning stop the sync actually? How can verify the ownership with a trusted signature?
Code:
Fetching file portage-20170323.tar.xz.md5sum ...
Fetching file portage-20170323.tar.xz.gpgsig ...
Fetching file portage-20170323.tar.xz ...
Checking digest ...
Checking signature ...
gpg: Signature made Fr 24 Mär 2017 01:51:49 CET
gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
     Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F  DF1C EC59 0EEA C918 9250
Getting snapshot timestamp ...
Syncing local tree ...

_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
shrike
Apprentice
Apprentice


Joined: 20 Feb 2004
Posts: 150
Location: Closer to home

PostPosted: Fri Mar 24, 2017 12:12 pm    Post subject: Reply with quote

Massimo B.,

I believe this is normal gpg behavior having to do with 'web of trust'. As I understand it you need to sign the key of a 'trusted' person using your key, then there would be no warning.

https://www.kernel.org/category/signatures.html

shrike
Back to top
View user's profile Send private message
tholin
Apprentice
Apprentice


Joined: 04 Oct 2008
Posts: 187

PostPosted: Fri Mar 24, 2017 12:27 pm    Post subject: Re: Validated Gentoo repository snapshots Reply with quote

Massimo B. wrote:

Then why is the sync done at all if not trusted?
I doesn't matter which trust decision I set, even if I don't trust, the sync is always done:

emerge-webrsync just calls the gpg executable directly and check the return value. Gpg will only return an error if the signature doesn't match. Even if the signature is untrusted or the signature has expired the return value will still indicate success. The gpg manual recommends that gpgme should be used instead of calling gpg directly the way emerge-webrsync does.

https://www.gnupg.org/documentation/manuals/gnupg/Programmatic-use-of-GnuPG.html#Programmatic-use-of-GnuPG
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Fri Mar 24, 2017 1:28 pm    Post subject: Reply with quote

So you say this is worth a bug report?
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
tholin
Apprentice
Apprentice


Joined: 04 Oct 2008
Posts: 187

PostPosted: Fri Mar 24, 2017 2:44 pm    Post subject: Reply with quote

Massimo B. wrote:
So you say this is worth a bug report?

It's a known problem.
https://bugs.gentoo.org/show_bug.cgi?id=570734
https://bugs.gentoo.org/show_bug.cgi?id=597918
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Thu Aug 17, 2017 5:47 pm    Post subject: Reply with quote

I found another old guide from the PPC friends showing how to set this up: https://wiki.gentoo.org/wiki/Handbook:PPC/Working/Features#Validated_Gentoo_repository_snapshots
But there is no activity on the bug tickets anymore. Having gpg singed snapshots is one important thing to secure Gentoo.

Some similar discussion was going on here some time ago: Checking signature after emerge-webrsync - GPG question
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Fri Jan 12, 2018 12:12 pm    Post subject: Reply with quote

Looking again after the GPG snapshots...

Current emerge --sync returns:
Code:
Checking signature ...
gpg: Signature made Fr 12 Jan 2018 01:51:27 CET
gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
     Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F  DF1C EC59 0EEA C918 9250
Getting snapshot timestamp ...
Syncing local tree ...

While the current keys of app-crypt/gentoo-keys-201607021514-r2 does not have this signature:
Code:
# gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release  --list-keys --keyid-format LONG
gpg: checking the trustdb
gpg: no ultimately trusted keys found
/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg
---------------------------------------------------------
pub   rsa4096/825533CBF6CD6C97 2014-10-03 [C] [expired: 2017-09-17]
      D2DE1DBBA0F43EBA341B97D8825533CBF6CD6C97
uid                 [ expired] Gentoo-keys Team <gkeys@gentoo.org>

pub   dsa1024/9E6438C817072058 2004-07-20 [SC] [expires: 2018-07-01]
      D99EAC7379A850BCE47DA5F29E6438C817072058
uid                 [ unknown] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>
sub   elg2048/0403710E1415B4ED 2004-07-20 [E] [expires: 2018-07-01]

pub   rsa4096/DB6B8C1F96D8BF6D 2011-11-25 [C] [expires: 2018-07-01]
      DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
uid                 [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key)
sub   rsa4096/EC590EEAC9189250 2011-11-25 [S] [expires: 2018-07-01]

pub   rsa4096/BB572E0E2D182910 2009-08-25 [SC] [expired: 2017-08-25]
      13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
uid                 [ expired] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>

Is the gentoo-keys ebuild not well maintained? Should I just add that signature to my trusted keyring?
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 3634

PostPosted: Fri Jan 12, 2018 4:53 pm    Post subject: Reply with quote

Maybe you want to try gpg --refresh-keys?
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1612

PostPosted: Fri Jan 12, 2018 6:06 pm    Post subject: Reply with quote

charles17 wrote:
Maybe you want to try gpg --refresh-keys?
I use emerge-webrsync and I had this in my notes around updating the keys:
Code:
gpg --homedir=/etc/portage/gpg --refresh-keys
Seems to do the trick.

Tom
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 3634

PostPosted: Sat Jan 13, 2018 6:19 am    Post subject: Reply with quote

tld wrote:
I use emerge-webrsync and I had this in my notes around updating the keys:
Code:
gpg --homedir=/etc/portage/gpg --refresh-keys
Seems to do the trick

The Handbook article explicitly mentions --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1612

PostPosted: Sat Jan 13, 2018 4:01 pm    Post subject: Reply with quote

charles17 wrote:
tld wrote:
I use emerge-webrsync and I had this in my notes around updating the keys:
Code:
gpg --homedir=/etc/portage/gpg --refresh-keys
Seems to do the trick

The Handbook article explicitly mentions --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release

Interesting. In my case what i'm doing is correct because I have this in make.conf:
Code:
PORTAGE_GPG_DIR="/etc/portage/gpg"
I know I didn't proactively decide on that, so I think it may have been the suggested location at one time.

Tom
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Wed Jan 17, 2018 2:01 pm    Post subject: Reply with quote

Isn't updating /var/lib/gentoo/gkeys/keyrings/gentoo/release the job of the app-crypt/gentoo-keys package itself? Or does signing the tree with keys coming from the tree violate the trust chain in general?

I tried updating:
Code:
# gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release  --refresh-keys --keyserver-options http-proxy="http://gateway:8080"
gpg: refreshing 4 keys from hkps://hkps.pool.sks-keyservers.net
gpg: key BB572E0E2D182910: 7 signatures not checked due to missing keys
gpg: key BB572E0E2D182910: 1 bad signature
gpg: key BB572E0E2D182910: "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" 5 new signatures
gpg: key DB6B8C1F96D8BF6D: 11 signatures not checked due to missing keys
gpg: key DB6B8C1F96D8BF6D: "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" 4 new signatures
gpg: key 9E6438C817072058: 80 signatures not checked due to missing keys
gpg: key 9E6438C817072058: "Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>" 3 new signatures
gpg: key 825533CBF6CD6C97: 2 signatures not checked due to missing keys
gpg: key 825533CBF6CD6C97: "Gentoo-keys Team <gkeys@gentoo.org>" 3 new signatures
gpg: key 825533CBF6CD6C97: "Gentoo-keys Team <gkeys@gentoo.org>" 1 new subkey
gpg: Total number processed: 4
gpg:            new subkeys: 1
gpg:         new signatures: 15
gpg: no ultimately trusted keys found

It has updated something. I tried syncing the tree again to see if the warning have disappeared:
Code:
Checking signature ...
gpg: Signature made Mi 17 Jan 2018 01:51:39 CET
gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
     Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F  DF1C EC59 0EEA C918 9250
Getting snapshot timestamp ...
Syncing local tree ...
No, still the same issue.

But still the question, in the case when the tree was untrusted due to invalid keys, why did portage continue the sync and did not fail with a big warning?
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme


Last edited by Massimo B. on Mon Feb 05, 2018 7:02 am; edited 1 time in total
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Wed Jan 31, 2018 8:26 am    Post subject: Reply with quote

Massimo B. wrote:
Code:
Checking signature ...
gpg: WARNING: This key is not certified with a trusted signature!
No, still the same issue.

No idea?

People start to understand the necessity of trusted snapshots regarding the latest eselect news: 2018-01-30-portage-rsync-verification
This does not apply to me yet as I moved to sync-type = git for proxy environments and now even back to old sync-type = webrsync just because of the #Validated_Gentoo_repository_snapshots. Will that be obsolete due to the new signing method app-portage/gemato?
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6921

PostPosted: Thu Feb 01, 2018 1:17 am    Post subject: Reply with quote

Not quite. If a webrsync-gpg validation fails, it aborts the sync and you stay on the old version. If rsync validation fails, you get a warning but you get to keep the pieces, and portage won't tell you again.
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Thu Feb 01, 2018 8:13 am    Post subject: Reply with quote

This would mean the new rsync validation is less secure. Why don't they abort the sync as well, because the validation can only be done when all is already synced? They could at least tell portage to block any update, but even then you can't get the old valid snapshot of the tree back.

I'm still lost why I can't add the GPG keys to trusted and why the untrusted does only warn but not abort.
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
b52_
n00b
n00b


Joined: 14 Nov 2003
Posts: 50
Location: Germany

PostPosted: Sun Feb 04, 2018 4:41 pm    Post subject: Reply with quote

Hi Massimo,

I had the same issue in the past and was able to solve it with gpg onboard tools..
Quote:
Code:
gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]

..means, this is a GOOD trusted key, everything all right because you decided to trust it, probably because you checked the keyid and it was the id written on the gentoo website. Thus not an error.
Quote:
Code:
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

..tells you, well even if you trust that key, it could be from anybody, claiming to be gentoo. This is a Warning, not an error. In weboftrust you need signatures on user ids to prove yours or someones identity.
You can either ignore this warning or simply solve this by signing the gentoo ids with your local key.

First create a local key with
Code:
gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --full-generate-key

and then (local) sign the gentoo ids with
Code:
gpg --homedir  /var/lib/gentoo/gkeys/keyrings/gentoo/release --edit-key <KEYID> lsign


I read somewhere that you could alternatively trust the gentoo-keys ultimately (5). But I didn't try it.

b52
_________________
May the source be with you!
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1611
Location: PB, Germany

PostPosted: Mon Feb 05, 2018 7:05 am    Post subject: Reply with quote

Thanks, that worked, got rid of the warning and have learned about local signing.
But I still wonder about, what I have described in my first comment: If I make that gentoo signature untrusted, then the webrsync still goes on. Shouldn't it stop if the signature is not trusted? This would be the most important about signed snapshots.
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 3634

PostPosted: Tue Feb 06, 2018 6:32 am    Post subject: Reply with quote

Massimo B. wrote:
... Shouldn't it stop if the signature is not trusted? ...

IMHO it should. Or better have a customizable (abort / proceed) behavior.

The new rsync tree verification also would not stop
https://gentoo.org/support/news-items/2018-01-30-portage-rsync-verification.html wrote:
Please note that the verification currently does not prevent Portage
from using the repository after syncing. ...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum