1 |
commit: b1ab50f40c32959c0341dcdb37e6d4a99a25c712 |
2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Jul 5 05:09:06 2019 +0000 |
4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Jul 5 05:39:20 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=b1ab50f4 |
7 |
|
8 |
sync: Split key refresh into explicit WKD/keyserver phases |
9 |
|
10 |
Split key refresh into two parts: first try to refresh the key via WKD, |
11 |
then via keyservers, rather than using the combined function that is |
12 |
less explicit. This ensures that users are correctly informed whether |
13 |
keyservers are actually used, and therefore whether they may be subject |
14 |
to SKS poisoning attacks. Furthermore, it skips WKD from retry loop. |
15 |
|
16 |
Reviewed-by: Zac Medico <zmedico <AT> gentoo.org> |
17 |
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org> |
18 |
|
19 |
lib/portage/sync/syncbase.py | 10 ++++++++-- |
20 |
1 file changed, 8 insertions(+), 2 deletions(-) |
21 |
|
22 |
diff --git a/lib/portage/sync/syncbase.py b/lib/portage/sync/syncbase.py |
23 |
index d15bb6d14..46644d68e 100644 |
24 |
--- a/lib/portage/sync/syncbase.py |
25 |
+++ b/lib/portage/sync/syncbase.py |
26 |
@@ -252,11 +252,17 @@ class SyncBase(object): |
27 |
@type openpgp_env: gemato.openpgp.OpenPGPEnvironment |
28 |
""" |
29 |
out = portage.output.EOutput(quiet=('--quiet' in self.options['emerge_config'].opts)) |
30 |
+ out.ebegin('Refreshing keys via WKD') |
31 |
+ if openpgp_env.refresh_keys_wkd(): |
32 |
+ out.eend(0) |
33 |
+ return |
34 |
+ out.eend(1) |
35 |
+ |
36 |
out.ebegin('Refreshing keys from keyserver{}'.format( |
37 |
('' if self.repo.sync_openpgp_keyserver is None else ' ' + self.repo.sync_openpgp_keyserver))) |
38 |
retry_decorator = self._key_refresh_retry_decorator() |
39 |
if retry_decorator is None: |
40 |
- openpgp_env.refresh_keys(keyserver=self.repo.sync_openpgp_keyserver) |
41 |
+ openpgp_env.refresh_keys_keyserver(keyserver=self.repo.sync_openpgp_keyserver) |
42 |
else: |
43 |
def noisy_refresh_keys(): |
44 |
""" |
45 |
@@ -264,7 +270,7 @@ class SyncBase(object): |
46 |
errors, display errors as soon as they occur. |
47 |
""" |
48 |
try: |
49 |
- openpgp_env.refresh_keys(keyserver=self.repo.sync_openpgp_keyserver) |
50 |
+ openpgp_env.refresh_keys_keyserver(keyserver=self.repo.sync_openpgp_keyserver) |
51 |
except Exception as e: |
52 |
writemsg_level("%s\n" % (e,), |
53 |
level=logging.ERROR, noiselevel=-1) |