| 1 |
Here's the updated version: |
| 2 |
|
| 3 |
--- |
| 4 |
Title: Portage rsync tree verification |
| 5 |
Author: Michał Górny <mgorny@g.o> |
| 6 |
Posted: 2018-01-xx |
| 7 |
Revision: 1 |
| 8 |
News-Item-Format: 2.0 |
| 9 |
Display-If-Installed: <sys-apps/portage-2.3.21 |
| 10 |
|
| 11 |
Starting with sys-apps/portage-2.3.22, Portage enables cryptographic |
| 12 |
verification of the Gentoo rsync repository distributed over rsync |
| 13 |
by default. This aims to prevent malicious third parties from altering |
| 14 |
the contents of the ebuild repository received by our users. |
| 15 |
|
| 16 |
This does not affect users syncing using git and other methods. |
| 17 |
Appropriate verification mechanisms for them will be provided |
| 18 |
in the future. |
| 19 |
|
| 20 |
The verification is implemented via using app-portage/gemato. Currently, |
| 21 |
the whole repository is verified after syncing. On systems with slow |
| 22 |
hard drives, this could take around 2 minutes. If you wish to disable |
| 23 |
it, you can disable the 'rsync-verify' USE flag on sys-apps/portage |
| 24 |
or set 'sync-rsync-verify-metamanifest = no' in your repos.conf. |
| 25 |
|
| 26 |
Please note that the verification currently does not prevent Portage |
| 27 |
from using the repository after syncing. If 'emerge --sync' fails, |
| 28 |
do not install any packages and retry syncing. In case of prolonged |
| 29 |
or frequent verification failures, please make sure to report a bug |
| 30 |
including the failing mirror addresses (found in emerge.log). |
| 31 |
|
| 32 |
The verification uses information from the binary keyring provided |
| 33 |
by the app-crypt/gentoo-keys package. The keys are refreshed |
| 34 |
from the keyserver before every use in order to check for revocation. |
| 35 |
The post-sync verification ensures that the key package is verified |
| 36 |
itself. However, manual verification is required before the first use. |
| 37 |
|
| 38 |
On Gentoo installations created using installation media that included |
| 39 |
portage-2.3.22, the keys will already be covered by the installation |
| 40 |
media signatures. On existing installations, you need to manually |
| 41 |
compare the primary key fingerprint (reported by gemato on every sync) |
| 42 |
against the official Gentoo keys [1]. An example gemato output is: |
| 43 |
|
| 44 |
INFO:root:Valid OpenPGP signature found: |
| 45 |
INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678 |
| 46 |
INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09 |
| 47 |
|
| 48 |
The primary key printed must match 'Gentoo Portage Snapshot Signing Key' |
| 49 |
on the site. Please make sure to also check the certificate used |
| 50 |
for the secure connection to the site! |
| 51 |
|
| 52 |
[1]:https://www.gentoo.org/downloads/signatures/ |
| 53 |
--- |
| 54 |
|
| 55 |
-- |
| 56 |
Best regards, |
| 57 |
Michał Górny |
Archives