Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-amd64

From: Mark Knecht <markknecht@×××××.com>
To: Gentoo AMD64 <gentoo-amd64@l.g.o>
Subject: Re: [gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?)
Date: Thu, 07 Aug 2014 18:16:28
Message-Id: CAK2H+eehi3-j-m=tuUtnfJk8hNpOMdyZxYH=pSu+E_MXmGgXSA@mail.gmail.com
In Reply to: [gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?) by Duncan <1i5t5.duncan@cox.net>
1 This is a bit long but it's mostly just stuff copied from my terminal
2 for completeness.
3 -MWK
4
5 On Wed, Aug 6, 2014 at 5:58 PM, Duncan <1i5t5.duncan@×××.net> wrote:
6 > Mark Knecht posted on Wed, 06 Aug 2014 14:33:28 -0700 as excerpted:
7 >
8 >> OK, I've modified make.conf as such:
9 >>
10 >> FEATURES="buildpkg strict webrsync-gpg"
11 >> PORTAGE_GPG_DIR="/etc/portage/gpg"
12 >>
13 >> and created /etc/portage/gpg:
14 >
15 >> drwxr-xr-x 2 root root 4096 Jul 6 09:42
16 >
17 <SNIP>
18 >
19 > Or wait! Actually I can, as google says that's actually part of the
20 > gentoo handbook! =:^) (Watch the link-wrap and reassemble as necessary,
21 > I'm lazy today. The arch doesn't matter for this bit so x86/amd64, it's
22 > all the same.)
23 >
24 > https://www.gentoo.org/doc/en/handbook/handbook-x86.xml?
25 > part=2&chap=3#webrsync-gpg
26 >
27
28 Great link! Thanks. So I think the important stuff is here, the first
29 2 lines I managed
30 on my own, but the gpg part is what's new to me:
31
32 [QUOTE]
33 # mkdir -p /etc/portage/gpg
34 # chmod 0700 /etc/portage/gpg
35 (... Substitute the keys with those mentioned on the release
36 engineering site ...)
37 # gpg --homedir /etc/portage/gpg --keyserver subkeys.pgp.net
38 --recv-keys 0xDB6B8C1F96D8BF6D
39 # gpg --homedir /etc/portage/gpg --edit-key 0xDB6B8C1F96D8BF6D trust
40 [/QOUTE]
41
42 From the comment about the Release Engineering site, I think that's here:
43
44 https://www.gentoo.org/proj/en/releng/
45
46 And the keys match with is good.
47
48 Anyway, running the first command is fine. The second command wants me to
49 make a choice. For now I chose to 'ultimately trust'. (Aren't I gullible!?!)
50
51 [COPY]
52 c2RAID6 ~ # gpg --homedir /etc/portage/gpg --edit-key 0xDB6B8C1F96D8BF6D trust
53 gpg (GnuPG) 2.0.25; Copyright (C) 2013 Free Software Foundation, Inc.
54 This is free software: you are free to change and redistribute it.
55 There is NO WARRANTY, to the extent permitted by law.
56
57
58 pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage: C
59 trust: unknown validity: unknown
60 sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage: S
61 [ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing Key)
62
63 pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage: C
64 trust: unknown validity: unknown
65 sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage:
66 S
67 [ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing
68 Key)
69
70 Please decide how far you trust this user to correctly verify other
71 users' keys
72 (by looking at passports, checking fingerprints from different
73 sources, etc.)
74
75 1 = I don't know or won't say
76 2 = I do NOT trust
77 3 = I trust marginally
78 4 = I trust fully
79 5 = I trust ultimately
80 m = back to the main menu
81
82 Your decision? 5
83 Do you really want to set this key to ultimate trust? (y/N) y
84
85 pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage:
86 C
87 trust: ultimate validity: unknown
88 sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage:
89 S
90 [ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing
91 Key)
92 Please note that the shown key validity is not necessarily correct
93 unless you restart the program.
94
95 gpg> list
96
97 pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage: C
98 trust: ultimate validity: unknown
99 sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage: S
100 [ unknown] (1)* Gentoo Portage Snapshot Signing Key (Automated Signing Key)
101
102 gpg> check
103 uid Gentoo Portage Snapshot Signing Key (Automated Signing Key)
104 sig!3 96D8BF6D 2011-11-25 [self-signature]
105 6 signatures not checked due to missing keys
106
107 gpg> quit
108 c2RAID6 ~ #
109
110
111 [/COPY]
112
113
114
115 I'm not sure how to short of a reboot 'restart the program', nor what the line
116
117 6 signatures not checked due to missing keys
118
119 really means. That said it appears to be working better than yesterday:
120
121
122
123
124 c2RAID6 ~ # eix-sync -w
125 * Running emerge-webrsync
126 Fetching most recent snapshot ...
127 Trying to retrieve 20140806 snapshot from http://gentoo.osuosl.org ...
128 Fetching file portage-20140806.tar.xz.md5sum ...
129 Fetching file portage-20140806.tar.xz.gpgsig ...
130 Fetching file portage-20140806.tar.xz ...
131 Checking digest ...
132 Checking signature ...
133 gpg: Signature made Wed Aug 6 17:55:26 2014 PDT using RSA key ID C9189250
134 gpg: checking the trustdb
135 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
136 gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
137 gpg: next trustdb check due at 2015-11-24
138 gpg: Good signature from "Gentoo Portage Snapshot Signing Key
139 (Automated Signing Key)" [ultimate]
140 Getting snapshot timestamp ...
141 Syncing local tree ...
142
143 Number of files: 178933
144 Number of files transferred: 6846
145 Total file size: 327.27M bytes
146 Total transferred file size: 19.96M bytes
147 Literal data: 19.96M bytes
148 Matched data: 0 bytes
149 File list size: 4.32M
150 File list generation time: 0.001 seconds
151 File list transfer time: 0.000 seconds
152 Total bytes sent: 12.38M
153 Total bytes received: 156.23K
154
155 sent 12.38M bytes received 156.23K bytes 166.03K bytes/sec
156 total size is 327.27M speedup is 26.11
157 Cleaning up ...
158 * Copying old database to /var/cache/eix/previous.eix
159 * Running eix-update
160 Reading Portage settings ..
161 <SNIP>
162 [474] "zx2c4" layman/zx2c4 (cache: eix*
163 /tmp/eix-remote.MbcFER9d/zx2c4.eix [*/zx2c4])
164 Reading Packages .. Finished
165 Applying masks ..
166 Calculating hash tables ..
167 Writing database file /var/cache/eix/remote.eix ..
168 Database contains 31587 packages in 234 categories.
169 * Calling eix-diff
170 Diffing databases (17596 -> 17598 packages)
171 [>] == games-util/umodpack (0.5_beta16-r1 -> 0.5_beta16-r2):
172 portable and useful [un]packer for Unreal Tournament's Umod files
173 [U] == media-libs/libbluray (0.5.0-r1{tbz2}@06/19/14;
174 (~)0.5.0-r1{tbz2} -> (~)0.6.1): Blu-ray playback libraries
175 [>] == net-misc/chrony (1.30^t -> 1.30-r1^t): NTP client and server programs
176 [U] == sys-devel/gnuconfig (20131128{tbz2}@02/18/14; 20131128{tbz2}
177 -> 20140212): Updated config.sub and config.guess file from GNU
178 [U] == virtual/libgudev (215(0/0){tbz2}@08/05/14; 215(0/0){tbz2} ->
179 215-r1(0/0)): Virtual for libgudev providers
180 [U] == virtual/libudev (215(0/1){tbz2}@08/05/14; 215(0/1){tbz2} ->
181 215-r1(0/1)): Virtual for libudev providers
182 [D] == www-client/google-chrome-beta
183 (37.0.2062.58_p1{tbz2}@08/05/14; (~)37.0.2062.58_p1^msd{tbz2} ->
184 ~37.0.2062.68_p1^msd): The web browser from Google
185 [U] == www-client/google-chrome-unstable
186 (38.0.2107.3_p1{tbz2}@08/06/14; (~)38.0.2107.3_p1^msd{tbz2} ->
187 (~)38.0.2114.2_p1^msd): The web browser from Google
188 [N] >> dev-ruby/prawn-table (~0.1.0): Provides support for tables in Prawn
189 [N] >> sys-apps/cv (~0.4.1): Coreutils Viewer: show progress for cp,
190 rm, dd, and so forth
191 * Time statistics:
192 136 seconds for syncing
193 43 seconds for eix-update
194 2 seconds for eix-diff
195 197 seconds total
196 c2RAID6 ~ #
197
198
199
200
201 So that's all looking pretty good, as a first step. If it's a matter
202 of 3 1/2 minutes instead of 1-2 minutes then I can live with that
203 part. However that's just (I think) the portage tree and not signed
204 source code, correct?
205
206 Now, is the idea that I have a validated portage snapshot at this
207 point and stiff have to actually get the code using the regular emerge
208 which will do the checking because I have:
209
210 FEATURES="buildpkg strict webrsync-gpg"
211
212 I don't see any evidence that emerge checked what it downloaded, but
213 maybe those checks are only done when I really build the code?
214
215
216
217
218 c2RAID6 ~ # emerge -fDuN @world
219 Calculating dependencies... done!
220
221 >>> Fetching (1 of 5) sys-devel/gnuconfig-20140212
222 >>> Downloading 'http://gentoo.osuosl.org/distfiles/gnuconfig-20140212.tar.bz2'
223 --2014-08-07 11:12:11--
224 http://gentoo.osuosl.org/distfiles/gnuconfig-20140212.tar.bz2
225 Resolving gentoo.osuosl.org... 140.211.166.134
226 Connecting to gentoo.osuosl.org|140.211.166.134|:80... connected.
227 HTTP request sent, awaiting response... 200 OK
228 Length: 44808 (44K) [application/x-bzip2]
229 Saving to: '/usr/portage/distfiles/gnuconfig-20140212.tar.bz2'
230
231 100%[================================================================>]
232 44,808 113KB/s in 0.4s
233
234 2014-08-07 11:12:13 (113 KB/s) -
235 '/usr/portage/distfiles/gnuconfig-20140212.tar.bz2' saved
236 [44808/44808]
237
238 * gnuconfig-20140212.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ...
239 [ ok ]
240
241 >>> Fetching (2 of 5) media-libs/libbluray-0.6.1
242 >>> Downloading 'http://gentoo.osuosl.org/distfiles/libbluray-0.6.1.tar.bz2'
243 --2014-08-07 11:12:13--
244 http://gentoo.osuosl.org/distfiles/libbluray-0.6.1.tar.bz2
245 Resolving gentoo.osuosl.org... 140.211.166.134
246 Connecting to gentoo.osuosl.org|140.211.166.134|:80... connected.
247 HTTP request sent, awaiting response... 200 OK
248 Length: 586646 (573K) [application/x-bzip2]
249 Saving to: '/usr/portage/distfiles/libbluray-0.6.1.tar.bz2'
250
251 100%[================================================================>]
252 586,646 716KB/s in 0.8s
253
254 2014-08-07 11:12:15 (716 KB/s) -
255 '/usr/portage/distfiles/libbluray-0.6.1.tar.bz2' saved [586646/586646]
256
257 * libbluray-0.6.1.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ...
258 [ ok ]
259
260 >>> Fetching (3 of 5) virtual/libudev-215-r1
261
262 >>> Fetching (4 of 5) virtual/libgudev-215-r1
263
264 >>> Fetching (5 of 5) www-client/google-chrome-unstable-38.0.2114.2_p1
265 >>> Downloading 'http://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-unstable/google-chrome-unstable_38.0.2114.2-1_amd64.deb'
266 --2014-08-07 11:12:16--
267 http://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-unstable/google-chrome-unstable_38.0.2114.2-1_amd64.deb
268 Resolving dl.google.com... 74.125.239.2, 74.125.239.6, 74.125.239.4, ...
269 Connecting to dl.google.com|74.125.239.2|:80... connected.
270 HTTP request sent, awaiting response... 200 OK
271 Length: 47472462 (45M) [application/x-debian-package]
272 Saving to: '/usr/portage/distfiles/google-chrome-unstable_38.0.2114.2-1_amd64.deb'
273
274 100%[================================================================>]
275 47,472,462 6.81MB/s in 7.1s
276
277 2014-08-07 11:12:23 (6.37 MB/s) -
278 '/usr/portage/distfiles/google-chrome-unstable_38.0.2114.2-1_amd64.deb'
279 saved [47472462/47472462]
280
281 * google-chrome-unstable_38.0.2114.2-1_amd64.deb SHA256 SHA512
282 WHIRLPOOL size ;-) ... [ ok ]
283 c2RAID6 ~ #
284
285
286 Cheers,
287 Mark

Replies

Subject Author
[gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?) Duncan <1i5t5.duncan@×××.net>
[gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?) Duncan <1i5t5.duncan@×××.net>
Report Message
Find on MARC Find on Google Groups