1 |
Hi Duncan |
2 |
|
3 |
On Mon, Aug 4, 2014 at 10:52 PM, Duncan <1i5t5.duncan@×××.net> wrote: |
4 |
<SNIP> |
5 |
> |
6 |
> 3) While #1 applies to the tree in general when it is rsynced, gentoo |
7 |
> does have a somewhat higher security sync method for the paranoid and to |
8 |
> support users behind firewalls which don't pass rsync. Instead of |
9 |
> running emerge sync, this method uses the emerge-webrsync tool, which |
10 |
> downloads the entire main gentoo tree as a gpg-signed tarball. If you |
11 |
> have FEATURES=webrsync-gpg set (see the make.conf manpage, FEATURES, |
12 |
> webrsync-gpg), portage will verify the gpg signature on this tarball. |
13 |
> |
14 |
|
15 |
I'm finally able to investigate this today. I'm not finding very |
16 |
detailed instructions anywhere , more like notes people would use if |
17 |
they've done this before and understand all the issues. Being that |
18 |
it's my first excursion down this road I have much to learn. |
19 |
|
20 |
OK, I've modified make.conf as such: |
21 |
|
22 |
FEATURES="buildpkg strict webrsync-gpg" |
23 |
PORTAGE_GPG_DIR="/etc/portage/gpg" |
24 |
|
25 |
and created /etc/portage/gpg: |
26 |
|
27 |
|
28 |
c2RAID6 portage # ls -al |
29 |
total 72 |
30 |
drwxr-xr-x 13 root root 4096 Aug 6 14:25 . |
31 |
drwxr-xr-x 87 root root 4096 Aug 6 09:10 .. |
32 |
drwxr-xr-x 2 root root 4096 Apr 27 10:26 bin |
33 |
-rw-r--r-- 1 root root 22 Jan 1 2014 categories |
34 |
drwxr-xr-x 2 root root 4096 Jul 6 09:42 env |
35 |
drwx------ 2 root root 4096 Aug 6 14:03 gpg |
36 |
-rw-r--r-- 1 root root 1573 Aug 6 14:03 make.conf |
37 |
lrwxrwxrwx 1 root root 63 Mar 5 2013 make.profile -> |
38 |
../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde |
39 |
[the rest deleted...] |
40 |
|
41 |
|
42 |
eix-sync seems to be working but it may (or may not) be caught in some |
43 |
loop where it just keeps looking for older data. I let it go until it |
44 |
got back into July and then did a Ctrl-C: |
45 |
|
46 |
c2RAID6 portage # eix-sync -wa |
47 |
* Running emerge-webrsync |
48 |
Fetching most recent snapshot ... |
49 |
Trying to retrieve 20140805 snapshot from http://gentoo.osuosl.org ... |
50 |
Fetching file portage-20140805.tar.xz.md5sum ... |
51 |
Fetching file portage-20140805.tar.xz.gpgsig ... |
52 |
Fetching file portage-20140805.tar.xz ... |
53 |
Checking digest ... |
54 |
Checking signature ... |
55 |
gpg: Signature made Tue Aug 5 17:55:23 2014 PDT using RSA key ID C9189250 |
56 |
gpg: Can't check signature: No public key |
57 |
Fetching file portage-20140805.tar.bz2.md5sum ... |
58 |
Fetching file portage-20140805.tar.bz2.gpgsig ... |
59 |
Fetching file portage-20140805.tar.bz2 ... |
60 |
Checking digest ... |
61 |
Checking signature ... |
62 |
gpg: Signature made Tue Aug 5 17:55:22 2014 PDT using RSA key ID C9189250 |
63 |
gpg: Can't check signature: No public key |
64 |
Fetching file portage-20140805.tar.gz.md5sum ... |
65 |
20140805 snapshot was not found |
66 |
Trying to retrieve 20140804 snapshot from http://gentoo.osuosl.org ... |
67 |
Fetching file portage-20140804.tar.xz.md5sum ... |
68 |
Fetching file portage-20140804.tar.xz.gpgsig ... |
69 |
Fetching file portage-20140804.tar.xz ... |
70 |
Checking digest ... |
71 |
Checking signature ... |
72 |
gpg: Signature made Mon Aug 4 17:55:27 2014 PDT using RSA key ID C9189250 |
73 |
gpg: Can't check signature: No public key |
74 |
|
75 |
|
76 |
QUESTIONS: |
77 |
|
78 |
1) Is the 'No public key' message talking about me, or something at |
79 |
the source? I haven't got any keys so maybe i need to generate one? |
80 |
|
81 |
2) Once I do get this working correctly it would make sense to me that |
82 |
I need to delete all existing distfiles to ensure that anything on my |
83 |
system actually came from this tarball. Is that correct? |
84 |
|
85 |
|
86 |
<SNIP> |
87 |
> So sync-method bottom line, if you're paranoid or simply want additional |
88 |
> gpg-signed security, use emerge-webrsync along with FEATURES=webrsync-gpg, |
89 |
> instead of normal rsync-based emerge sync. That pretty well ensures that |
90 |
> you're getting exactly the gentoo tree tarball gentoo built and signed, |
91 |
> which is certainly far more secure than normal rsync syncing, but because |
92 |
> the tarballing and signing is automated and covers the entire tree, |
93 |
> there's still the possibility that one or more files in that tarball are |
94 |
> compromised and that it hasn't been detected yet. |
95 |
|
96 |
Or, as we both have eluded to, the bad guy is intercepting the |
97 |
transmission and giving me a different tarball... |
98 |
|
99 |
For now, it's more than enough to take a baby first step. |
100 |
|
101 |
Thanks for all your sharing of info! |
102 |
|
103 |
Cheers, |
104 |
Mark |