| 1 |
Hi Duncan |
| 2 |
|
| 3 |
On Mon, Aug 4, 2014 at 10:52 PM, Duncan <1i5t5.duncan@×××.net> wrote: |
| 4 |
<SNIP> |
| 5 |
> |
| 6 |
> 3) While #1 applies to the tree in general when it is rsynced, gentoo |
| 7 |
> does have a somewhat higher security sync method for the paranoid and to |
| 8 |
> support users behind firewalls which don't pass rsync. Instead of |
| 9 |
> running emerge sync, this method uses the emerge-webrsync tool, which |
| 10 |
> downloads the entire main gentoo tree as a gpg-signed tarball. If you |
| 11 |
> have FEATURES=webrsync-gpg set (see the make.conf manpage, FEATURES, |
| 12 |
> webrsync-gpg), portage will verify the gpg signature on this tarball. |
| 13 |
> |
| 14 |
|
| 15 |
I'm finally able to investigate this today. I'm not finding very |
| 16 |
detailed instructions anywhere , more like notes people would use if |
| 17 |
they've done this before and understand all the issues. Being that |
| 18 |
it's my first excursion down this road I have much to learn. |
| 19 |
|
| 20 |
OK, I've modified make.conf as such: |
| 21 |
|
| 22 |
FEATURES="buildpkg strict webrsync-gpg" |
| 23 |
PORTAGE_GPG_DIR="/etc/portage/gpg" |
| 24 |
|
| 25 |
and created /etc/portage/gpg: |
| 26 |
|
| 27 |
|
| 28 |
c2RAID6 portage # ls -al |
| 29 |
total 72 |
| 30 |
drwxr-xr-x 13 root root 4096 Aug 6 14:25 . |
| 31 |
drwxr-xr-x 87 root root 4096 Aug 6 09:10 .. |
| 32 |
drwxr-xr-x 2 root root 4096 Apr 27 10:26 bin |
| 33 |
-rw-r--r-- 1 root root 22 Jan 1 2014 categories |
| 34 |
drwxr-xr-x 2 root root 4096 Jul 6 09:42 env |
| 35 |
drwx------ 2 root root 4096 Aug 6 14:03 gpg |
| 36 |
-rw-r--r-- 1 root root 1573 Aug 6 14:03 make.conf |
| 37 |
lrwxrwxrwx 1 root root 63 Mar 5 2013 make.profile -> |
| 38 |
../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde |
| 39 |
[the rest deleted...] |
| 40 |
|
| 41 |
|
| 42 |
eix-sync seems to be working but it may (or may not) be caught in some |
| 43 |
loop where it just keeps looking for older data. I let it go until it |
| 44 |
got back into July and then did a Ctrl-C: |
| 45 |
|
| 46 |
c2RAID6 portage # eix-sync -wa |
| 47 |
* Running emerge-webrsync |
| 48 |
Fetching most recent snapshot ... |
| 49 |
Trying to retrieve 20140805 snapshot from http://gentoo.osuosl.org ... |
| 50 |
Fetching file portage-20140805.tar.xz.md5sum ... |
| 51 |
Fetching file portage-20140805.tar.xz.gpgsig ... |
| 52 |
Fetching file portage-20140805.tar.xz ... |
| 53 |
Checking digest ... |
| 54 |
Checking signature ... |
| 55 |
gpg: Signature made Tue Aug 5 17:55:23 2014 PDT using RSA key ID C9189250 |
| 56 |
gpg: Can't check signature: No public key |
| 57 |
Fetching file portage-20140805.tar.bz2.md5sum ... |
| 58 |
Fetching file portage-20140805.tar.bz2.gpgsig ... |
| 59 |
Fetching file portage-20140805.tar.bz2 ... |
| 60 |
Checking digest ... |
| 61 |
Checking signature ... |
| 62 |
gpg: Signature made Tue Aug 5 17:55:22 2014 PDT using RSA key ID C9189250 |
| 63 |
gpg: Can't check signature: No public key |
| 64 |
Fetching file portage-20140805.tar.gz.md5sum ... |
| 65 |
20140805 snapshot was not found |
| 66 |
Trying to retrieve 20140804 snapshot from http://gentoo.osuosl.org ... |
| 67 |
Fetching file portage-20140804.tar.xz.md5sum ... |
| 68 |
Fetching file portage-20140804.tar.xz.gpgsig ... |
| 69 |
Fetching file portage-20140804.tar.xz ... |
| 70 |
Checking digest ... |
| 71 |
Checking signature ... |
| 72 |
gpg: Signature made Mon Aug 4 17:55:27 2014 PDT using RSA key ID C9189250 |
| 73 |
gpg: Can't check signature: No public key |
| 74 |
|
| 75 |
|
| 76 |
QUESTIONS: |
| 77 |
|
| 78 |
1) Is the 'No public key' message talking about me, or something at |
| 79 |
the source? I haven't got any keys so maybe i need to generate one? |
| 80 |
|
| 81 |
2) Once I do get this working correctly it would make sense to me that |
| 82 |
I need to delete all existing distfiles to ensure that anything on my |
| 83 |
system actually came from this tarball. Is that correct? |
| 84 |
|
| 85 |
|
| 86 |
<SNIP> |
| 87 |
> So sync-method bottom line, if you're paranoid or simply want additional |
| 88 |
> gpg-signed security, use emerge-webrsync along with FEATURES=webrsync-gpg, |
| 89 |
> instead of normal rsync-based emerge sync. That pretty well ensures that |
| 90 |
> you're getting exactly the gentoo tree tarball gentoo built and signed, |
| 91 |
> which is certainly far more secure than normal rsync syncing, but because |
| 92 |
> the tarballing and signing is automated and covers the entire tree, |
| 93 |
> there's still the possibility that one or more files in that tarball are |
| 94 |
> compromised and that it hasn't been detected yet. |
| 95 |
|
| 96 |
Or, as we both have eluded to, the bad guy is intercepting the |
| 97 |
transmission and giving me a different tarball... |
| 98 |
|
| 99 |
For now, it's more than enough to take a baby first step. |
| 100 |
|
| 101 |
Thanks for all your sharing of info! |
| 102 |
|
| 103 |
Cheers, |
| 104 |
Mark |
Archives