1 |
On 01/25/2018 11:04 AM, Michał Górny wrote: |
2 |
> Hi, |
3 |
> |
4 |
|
5 |
Thanks for your work on this! |
6 |
|
7 |
> This one would be committed once new sys-apps/portage release is |
8 |
> wrapped up and hits ~arch. |
9 |
> |
10 |
> --- Title: Portage rsync tree verification Author: Michał Górny |
11 |
> <mgorny@g.o> Posted: 2018-01-xx Revision: 1 News-Item-Format: |
12 |
> 2.0 Display-If-Installed: <sys-apps/portage-2.3.21 |
13 |
> |
14 |
> Starting with sys-apps/portage-2.3.22, Portage enables strong |
15 |
> cryptographic verification of the Gentoo rsync tree by default. This |
16 |
> aims to prevent malicious third parties from altering the contents of |
17 |
> the ebuild repository received by our users. |
18 |
|
19 |
Just for sake of it, would remove "strong" here, as it is a description |
20 |
and not PR document. Should we be consistent with referencing, so e.g |
21 |
the Gentoo ebuild repository as distributed through rsync, or something? |
22 |
Atm we seem to be using different terms all of the place, so should try |
23 |
to harmonize a bit. |
24 |
|
25 |
> |
26 |
> The verification is implemented using app-portage/gemato. Currently, |
27 |
|
28 |
... "implemented in", as opposed to "using"? its implemented using |
29 |
various cryptographic primitives, but gemato is the implementation |
30 |
itself of sorts. |
31 |
|
32 |
> the whole repository is verified after syncing. On systems with slow |
33 |
> hard drives, this could take around 2 minutes. If you wish to |
34 |
> disable it, you can disable the 'rsync-verify' flag on |
35 |
|
36 |
USE flag? |
37 |
|
38 |
> sys-apps/portage or set 'sync-rsync-verify-metamanifest = no' in your |
39 |
> repos.conf. |
40 |
> |
41 |
> Please note that the verification currently does not prevent Portage |
42 |
> from using the repository after syncing. If 'emerge --sync' fails, do |
43 |
> not install any packages and retry syncing. In case of prolonged or |
44 |
> frequent verification failures, please make sure to report a bug |
45 |
> including the failing mirror addresses (found in emerge.log). |
46 |
> |
47 |
> The verification uses keys provided by the app-crypt/gentoo-keys |
48 |
> package. The keys are refreshed from the keyserver before every use |
49 |
> in order to check for revocation. The post-sync verification ensures |
50 |
> that the key package is verified itself. However, manua |
51 |
> verification is required before the first use. |
52 |
|
53 |
Maybe some wording around binary keyring? e.g the verification uses |
54 |
information from the binary keyring provided by app-crypt/gentoo-keys? |
55 |
In particular the reference to "key package" might be misread (and the |
56 |
keyring consists of multiple public keyblocks, that includes much more |
57 |
information than the cryptographic keys per se) |
58 |
|
59 |
> |
60 |
> On new Gentoo installations including portage-2.3.22, the |
61 |
|
62 |
stage3s? |
63 |
|
64 |
> verification of the keys will be covered by verifying the |
65 |
> installation media and repository snapshot signatures. On existing |
66 |
> installations, you need to manually compare the primary key |
67 |
> fingerprint (reported by gemato on every sync) against the official |
68 |
> Gentoo keys [1]. An example gemato output is: |
69 |
> |
70 |
> INFO:root:Valid OpenPGP signature found: INFO:root:- primary key: |
71 |
> 1234567890ABCDEF1234567890ABCDEF12345678 INFO:root:- subkey: |
72 |
> FEDCBA0987654321FEDCBA0987654321FEDCBA09 |
73 |
> |
74 |
> The primary key printed must match 'Gentoo Portage Snapshot Signing |
75 |
> Key' on the site. Please make sure to also check the certificate |
76 |
> used for the secure connection to the site! |
77 |
> |
78 |
> [1]:https://www.gentoo.org/downloads/signatures/ --- |
79 |
> |
80 |
|
81 |
|
82 |
-- |
83 |
Kristian Fiskerstrand |
84 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
85 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |