1 |
Hopefully the final version. |
2 |
|
3 |
--- |
4 |
Title: Portage rsync tree verification |
5 |
Author: Michał Górny <mgorny@g.o> |
6 |
Posted: 2018-01-xx |
7 |
Revision: 1 |
8 |
News-Item-Format: 2.0 |
9 |
Display-If-Installed: sys-apps/portage |
10 |
|
11 |
Starting with sys-apps/portage-2.3.22, Portage will verify the Gentoo |
12 |
repository after rsync by default. |
13 |
|
14 |
The new verification is intended for users who are syncing via rsync. |
15 |
Verification mechanisms for other methods of sync will be provided |
16 |
in the future. |
17 |
|
18 |
This does not affect users syncing using git and other methods. |
19 |
Appropriate verification mechanisms for them will be provided |
20 |
in the future. |
21 |
|
22 |
The verification is implemented via app-portage/gemato. Currently, |
23 |
the whole repository is verified after syncing. On systems with slow |
24 |
hard drives, this could take around 2 minutes. If you wish to disable |
25 |
it, you can disable the 'rsync-verify' USE flag on sys-apps/portage |
26 |
or set 'sync-rsync-verify-metamanifest = no' in your repos.conf. |
27 |
|
28 |
Please note that the verification currently does not prevent Portage |
29 |
from using the repository after syncing. If 'emerge --sync' fails, |
30 |
do not install any packages and retry syncing. In case of prolonged |
31 |
or frequent verification failures, please make sure to report a bug |
32 |
including the failing mirror addresses (found in emerge.log). |
33 |
|
34 |
The verification uses information from the binary keyring provided |
35 |
by the app-crypt/gentoo-keys package. The keys are refreshed |
36 |
from the keyserver before every use in order to check for revocation. |
37 |
The post-sync verification ensures that the key package is verified |
38 |
itself. However, manual verification is required before the first use. |
39 |
|
40 |
On Gentoo installations created using installation media that included |
41 |
portage-2.3.22, the keys will already be covered by the installation |
42 |
media signatures. On existing installations, you need to manually |
43 |
compare the primary key fingerprint (reported by gemato on every sync) |
44 |
against the official Gentoo keys [1]. An example gemato output is: |
45 |
|
46 |
INFO:root:Valid OpenPGP signature found: |
47 |
INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678 |
48 |
INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09 |
49 |
|
50 |
Please note that the above snippet does not include the real key id |
51 |
on purpose. The primary key actually printed by gemato must match |
52 |
the 'Gentoo Portage Snapshot Signing Key' on the website. Please make |
53 |
sure to also check the certificate used for the secure connection |
54 |
to the site! |
55 |
|
56 |
[1]:https://www.gentoo.org/downloads/signatures/ |
57 |
|
58 |
-- |
59 |
Best regards, |
60 |
Michał Górny |