1 |
Hi, |
2 |
|
3 |
This one would be committed once new sys-apps/portage release is wrapped |
4 |
up and hits ~arch. |
5 |
|
6 |
--- |
7 |
Title: Portage rsync tree verification |
8 |
Author: Michał Górny <mgorny@g.o> |
9 |
Posted: 2018-01-xx |
10 |
Revision: 1 |
11 |
News-Item-Format: 2.0 |
12 |
Display-If-Installed: <sys-apps/portage-2.3.21 |
13 |
|
14 |
Starting with sys-apps/portage-2.3.22, Portage enables strong |
15 |
cryptographic verification of the Gentoo rsync tree by default. |
16 |
This aims to prevent malicious third parties from altering the contents |
17 |
of the ebuild repository received by our users. |
18 |
|
19 |
The verification is implemented using app-portage/gemato. Currently, |
20 |
the whole repository is verified after syncing. On systems with slow |
21 |
hard drives, this could take around 2 minutes. If you wish to disable |
22 |
it, you can disable the 'rsync-verify' flag on sys-apps/portage |
23 |
or set 'sync-rsync-verify-metamanifest = no' in your repos.conf. |
24 |
|
25 |
Please note that the verification currently does not prevent Portage |
26 |
from using the repository after syncing. If 'emerge --sync' fails, |
27 |
do not install any packages and retry syncing. In case of prolonged |
28 |
or frequent verification failures, please make sure to report a bug |
29 |
including the failing mirror addresses (found in emerge.log). |
30 |
|
31 |
The verification uses keys provided by the app-crypt/gentoo-keys |
32 |
package. The keys are refreshed from the keyserver before every use |
33 |
in order to check for revocation. The post-sync verification ensures |
34 |
that the key package is verified itself. However, manual verification |
35 |
is required before the first use. |
36 |
|
37 |
On new Gentoo installations including portage-2.3.22, the verification |
38 |
of the keys will be covered by verifying the installation media |
39 |
and repository snapshot signatures. On existing installations, you need |
40 |
to manually compare the primary key fingerprint (reported by gemato |
41 |
on every sync) against the official Gentoo keys [1]. An example gemato |
42 |
output is: |
43 |
|
44 |
INFO:root:Valid OpenPGP signature found: |
45 |
INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678 |
46 |
INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09 |
47 |
|
48 |
The primary key printed must match 'Gentoo Portage Snapshot Signing Key' |
49 |
on the site. Please make sure to also check the certificate used |
50 |
for the secure connection to the site! |
51 |
|
52 |
[1]:https://www.gentoo.org/downloads/signatures/ |
53 |
--- |
54 |
|
55 |
-- |
56 |
Best regards, |
57 |
Michał Górny |