[gentoo-commits] proj/portage:master commit in: pym/portage/sync/modules/rsync/ - gentoo-commits

From:	"Michał Górny" <mgorny@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/portage:master commit in: pym/portage/sync/modules/rsync/
Date:	Mon, 05 Feb 2018 18:44:51
Message-Id:	`1517856095.a02b5f9f0ae428eeb6cdc30bb3bcb7ac647358de.mgorny@gentoo`

1

commit:     a02b5f9f0ae428eeb6cdc30bb3bcb7ac647358de

2

Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>

3

AuthorDate: Thu Feb  1 11:44:49 2018 +0000

4

Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>

5

CommitDate: Mon Feb  5 18:41:35 2018 +0000

6

URL:        https://gitweb.gentoo.org/proj/portage.git/commit/?id=a02b5f9f

7

8

rsync: Verify the Manifest signature even if tree is unchanged

9

10

Always verify the Manifest signature if verification is enabled.

11

Skipping the deep tree verification for unchanged case is reasonable

12

but we need to make sure the Manifest signature stays valid to catch

13

the case of the signing key being revoked.

14

15

Reviewed-by: Zac Medico <zmedico <AT> gentoo.org>

16

17

 pym/portage/sync/modules/rsync/rsync.py | 13 +++++++++----

18

 1 file changed, 9 insertions(+), 4 deletions(-)

19

20

diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py

21

index 39c4066d8..e6e218868 100644

22

--- a/pym/portage/sync/modules/rsync/rsync.py

23

+++ b/pym/portage/sync/modules/rsync/rsync.py

24

@@ -292,7 +292,7 @@ class RsyncSync(NewBase):

25

 		self._process_exitcode(exitcode, dosyncuri, out, maxretries)

26

27

 		# if synced successfully, verify now

28

-		if exitcode == 0 and not local_state_unchanged and self.verify_metamanifest:

29

+		if exitcode == 0 and self.verify_metamanifest:

30

 			if gemato is None:

31

 				writemsg_level("!!! Unable to verify: gemato-11.0+ is required\n",

32

 					level=logging.ERROR, noiselevel=-1)

33

@@ -315,6 +315,8 @@ class RsyncSync(NewBase):

34

 							openpgp_env.refresh_keys()

35

 							out.eend(0)

36

37

+						# we always verify the Manifest signature, in case

38

+						# we had to deal with key revocation case

39

 						m = gemato.recursiveloader.ManifestRecursiveLoader(

40

 								os.path.join(self.repo.location, 'Manifest'),

41

 								verify_openpgp=True,

42

@@ -336,9 +338,12 @@ class RsyncSync(NewBase):

43

 						out.einfo('- timestamp: %s UTC' % (

44

 							m.openpgp_signature.timestamp))

45

46

-						out.ebegin('Verifying %s' % (self.repo.location,))

47

-						m.assert_directory_verifies()

48

-						out.eend(0)

49

+						# if nothing has changed, skip the actual Manifest

50

+						# verification

51

+						if not local_state_unchanged:

52

+							out.ebegin('Verifying %s' % (self.repo.location,))

53

+							m.assert_directory_verifies()

54

+							out.eend(0)

55

 				except GematoException as e:

56

 					writemsg_level("!!! Manifest verification failed:\n%s\n"

57

 							% (e,),

1	commit: a02b5f9f0ae428eeb6cdc30bb3bcb7ac647358de
2	Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
3	AuthorDate: Thu Feb 1 11:44:49 2018 +0000
4	Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
5	CommitDate: Mon Feb 5 18:41:35 2018 +0000
6	URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=a02b5f9f
7
8	rsync: Verify the Manifest signature even if tree is unchanged
9
10	Always verify the Manifest signature if verification is enabled.
11	Skipping the deep tree verification for unchanged case is reasonable
12	but we need to make sure the Manifest signature stays valid to catch
13	the case of the signing key being revoked.
14
15	Reviewed-by: Zac Medico <zmedico <AT> gentoo.org>
16
17	pym/portage/sync/modules/rsync/rsync.py \| 13 +++++++++----
18	1 file changed, 9 insertions(+), 4 deletions(-)
19
20	diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py
21	index 39c4066d8..e6e218868 100644
22	--- a/pym/portage/sync/modules/rsync/rsync.py
23	+++ b/pym/portage/sync/modules/rsync/rsync.py
24	@@ -292,7 +292,7 @@ class RsyncSync(NewBase):
25	self._process_exitcode(exitcode, dosyncuri, out, maxretries)
26
27	# if synced successfully, verify now
28	- if exitcode == 0 and not local_state_unchanged and self.verify_metamanifest:
29	+ if exitcode == 0 and self.verify_metamanifest:
30	if gemato is None:
31	writemsg_level("!!! Unable to verify: gemato-11.0+ is required\n",
32	level=logging.ERROR, noiselevel=-1)
33	@@ -315,6 +315,8 @@ class RsyncSync(NewBase):
34	openpgp_env.refresh_keys()
35	out.eend(0)
36
37	+ # we always verify the Manifest signature, in case
38	+ # we had to deal with key revocation case
39	m = gemato.recursiveloader.ManifestRecursiveLoader(
40	os.path.join(self.repo.location, 'Manifest'),
41	verify_openpgp=True,
42	@@ -336,9 +338,12 @@ class RsyncSync(NewBase):
43	out.einfo('- timestamp: %s UTC' % (
44	m.openpgp_signature.timestamp))
45
46	- out.ebegin('Verifying %s' % (self.repo.location,))
47	- m.assert_directory_verifies()
48	- out.eend(0)
49	+ # if nothing has changed, skip the actual Manifest
50	+ # verification
51	+ if not local_state_unchanged:
52	+ out.ebegin('Verifying %s' % (self.repo.location,))
53	+ m.assert_directory_verifies()
54	+ out.eend(0)
55	except GematoException as e:
56	writemsg_level("!!! Manifest verification failed:\n%s\n"
57	% (e,),

Gentoo Archives: gentoo-commits