From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 886861581F3 for ; Thu, 28 Nov 2024 04:25:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AE192E0887; Thu, 28 Nov 2024 04:25:01 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 40F59E07A9 for ; Thu, 28 Nov 2024 04:25:01 +0000 (UTC) Message-ID: <5612b61e-a2dd-46ec-87c5-3a5314ef2fe6@gentoo.org> Date: Wed, 27 Nov 2024 23:24:53 -0500 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [gentoo-dev] [PATCH 1/2] sec-keys.eclass: new eclass To: gentoo-dev@lists.gentoo.org References: <20241127203042.1503004-1-eschwartz@gentoo.org> <796bd145558001d054ee56ec23eed31385ae453a.camel@gentoo.org> Content-Language: en-US From: Eli Schwartz Autocrypt: addr=eschwartz@gentoo.org; keydata= xjMEZmeRNBYJKwYBBAHaRw8BAQdAYNZ7pUDWhx1i2f3p6L2ZLu4FcY18UoeGC04Gq/khqwfN I0VsaSBTY2h3YXJ0eiA8ZXNjaHdhcnR6QGdlbnRvby5vcmc+wpYEExYKAD4WIQTvUdMIsc4j CIi+DYTqQj6ToWND8QUCZoRL+gIbAwUJBKKGAAULCQgHAwUVCgkICwUWAgMBAAIeBQIXgAAK CRDqQj6ToWND8aB5AP9r4kB691nNtNwKkdRiOdl7/k6WYzokvHvDamXxRJ0I+gEAjZqR5V8y mfR3fy2Z+r2Joeqdt3CIv5IwPs64spBvigLOOARmZ5E0EgorBgEEAZdVAQUBAQdATT46Z06b 1X9xjXFCYFxmq/Tj3tSEKZInDWTpoHQp4l8DAQgHwn4EGBYKACYWIQTvUdMIsc4jCIi+DYTq Qj6ToWND8QUCZmeRNAIbDAUJBKKGAAAKCRDqQj6ToWND8a2RAP40KPfbfoiZAJW5boFmFJ3G TUBDJRh9CWHyaPqq2PN+0wD/R07oLzfnJUN209mzi9TuTuHjeZybysyqXSw4MAxkMAY= In-Reply-To: <796bd145558001d054ee56ec23eed31385ae453a.camel@gentoo.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------1jLG5pnUE546gUCf57uzi2uo" X-Archives-Salt: 5120cd68-4452-4665-b794-4503b96e4444 X-Archives-Hash: 670804a72c8b4551e9958c3de095be90 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------1jLG5pnUE546gUCf57uzi2uo Content-Type: multipart/mixed; boundary="------------LzA3rrxrTzGhBznGr7OE0MVd"; protected-headers="v1" From: Eli Schwartz To: gentoo-dev@lists.gentoo.org Message-ID: <5612b61e-a2dd-46ec-87c5-3a5314ef2fe6@gentoo.org> Subject: Re: [gentoo-dev] [PATCH 1/2] sec-keys.eclass: new eclass References: <20241127203042.1503004-1-eschwartz@gentoo.org> <796bd145558001d054ee56ec23eed31385ae453a.camel@gentoo.org> In-Reply-To: <796bd145558001d054ee56ec23eed31385ae453a.camel@gentoo.org> --------------LzA3rrxrTzGhBznGr7OE0MVd Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/27/24 4:12 PM, Micha=C5=82 G=C3=B3rny wrote: > On Wed, 2024-11-27 at 15:30 -0500, Eli Schwartz wrote: >> The current state of verify-sig support is a bit awkward. We rely on >> validating distfiles against a known trusted keyring, but creating the= >> known trusted keyring is basically all manual verification. We somehow= >> decide an ascii armored key is good enough without any portage >> assistance, then arrange to download it and trust it by Manifest hash.= >> How do we know when updating a key is actually safe? >> >> This eclass handles the problem in a manner inspired in part by pacman= =2E >> We require an eclass variable that lists all permitted PGP fingerprint= s, >> and the eclass is responsible checking that list against the keys we >> will install. It comes with a mechanism for computing SRC_URI for a >> couple of well known locations, or you can append your own in the >> ebuild. >=20 > How about adding a src_test() that would check if the key needs bumping= , > i.e. if an online update triggers any meaningful changes? This is a really nice suggestion. I used Sam's tip about pgpdump, so that we print a diff after the online update, and fail if diff produces a diff. We use a cleaned and minimized version of the key, so it will only show/trigger on changes to the uid or self-sig packets, which isn't exactly the same as "meaningful changes". For example, running the tests on the gnutls keyring in the second patch, Daiki's key has been updated on Ubuntu with an additional expiry date change for a secondary uid, which may be meaningful in certain senses but we can validate it just fine using the primary uid. --=20 Eli Schwartz --------------LzA3rrxrTzGhBznGr7OE0MVd-- --------------1jLG5pnUE546gUCf57uzi2uo Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTnFNnmK0TPZHnXm3qEp9ErcA0vVwUCZ0fwlQUDAAAAAAAKCRCEp9ErcA0vVxUQ AQCoYJs9aWG0zy1Bi3X7M+vOcEYS5udJMaegqFPJKCutggD/ZkvXqbCZRrokfd8qDYR+OAalZed2 z0A7jfZAD9ZtUgQ= =CPfj -----END PGP SIGNATURE----- --------------1jLG5pnUE546gUCf57uzi2uo--