1 |
commit: a02b5f9f0ae428eeb6cdc30bb3bcb7ac647358de |
2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Feb 1 11:44:49 2018 +0000 |
4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 5 18:41:35 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=a02b5f9f |
7 |
|
8 |
rsync: Verify the Manifest signature even if tree is unchanged |
9 |
|
10 |
Always verify the Manifest signature if verification is enabled. |
11 |
Skipping the deep tree verification for unchanged case is reasonable |
12 |
but we need to make sure the Manifest signature stays valid to catch |
13 |
the case of the signing key being revoked. |
14 |
|
15 |
Reviewed-by: Zac Medico <zmedico <AT> gentoo.org> |
16 |
|
17 |
pym/portage/sync/modules/rsync/rsync.py | 13 +++++++++---- |
18 |
1 file changed, 9 insertions(+), 4 deletions(-) |
19 |
|
20 |
diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py |
21 |
index 39c4066d8..e6e218868 100644 |
22 |
--- a/pym/portage/sync/modules/rsync/rsync.py |
23 |
+++ b/pym/portage/sync/modules/rsync/rsync.py |
24 |
@@ -292,7 +292,7 @@ class RsyncSync(NewBase): |
25 |
self._process_exitcode(exitcode, dosyncuri, out, maxretries) |
26 |
|
27 |
# if synced successfully, verify now |
28 |
- if exitcode == 0 and not local_state_unchanged and self.verify_metamanifest: |
29 |
+ if exitcode == 0 and self.verify_metamanifest: |
30 |
if gemato is None: |
31 |
writemsg_level("!!! Unable to verify: gemato-11.0+ is required\n", |
32 |
level=logging.ERROR, noiselevel=-1) |
33 |
@@ -315,6 +315,8 @@ class RsyncSync(NewBase): |
34 |
openpgp_env.refresh_keys() |
35 |
out.eend(0) |
36 |
|
37 |
+ # we always verify the Manifest signature, in case |
38 |
+ # we had to deal with key revocation case |
39 |
m = gemato.recursiveloader.ManifestRecursiveLoader( |
40 |
os.path.join(self.repo.location, 'Manifest'), |
41 |
verify_openpgp=True, |
42 |
@@ -336,9 +338,12 @@ class RsyncSync(NewBase): |
43 |
out.einfo('- timestamp: %s UTC' % ( |
44 |
m.openpgp_signature.timestamp)) |
45 |
|
46 |
- out.ebegin('Verifying %s' % (self.repo.location,)) |
47 |
- m.assert_directory_verifies() |
48 |
- out.eend(0) |
49 |
+ # if nothing has changed, skip the actual Manifest |
50 |
+ # verification |
51 |
+ if not local_state_unchanged: |
52 |
+ out.ebegin('Verifying %s' % (self.repo.location,)) |
53 |
+ m.assert_directory_verifies() |
54 |
+ out.eend(0) |
55 |
except GematoException as e: |
56 |
writemsg_level("!!! Manifest verification failed:\n%s\n" |
57 |
% (e,), |