Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-portage-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-portage-dev@l.g.o
Cc: "Michał Górny" <mgorny@g.o>
Subject: [gentoo-portage-dev] [PATCH 3/5] rsync: Verify the Manifest signature even if tree is unchanged
Date: Thu, 01 Feb 2018 12:17:33
Message-Id: 20180201121707.8623-4-mgorny@gentoo.org
In Reply to: [gentoo-portage-dev] [PATCH] rsync: Improve gemato rsync Manifest verification logic by "Michał Górny"
1 Always verify the Manifest signature if verification is enabled.
2 Skipping the deep tree verification for unchanged case is reasonable
3 but we need to make sure the Manifest signature stays valid to catch
4 the case of the signing key being revoked.
5 ---
6 pym/portage/sync/modules/rsync/rsync.py | 13 +++++++++----
7 1 file changed, 9 insertions(+), 4 deletions(-)
8
9 diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py
10 index f6e59e211..b1faf1ec9 100644
11 --- a/pym/portage/sync/modules/rsync/rsync.py
12 +++ b/pym/portage/sync/modules/rsync/rsync.py
13 @@ -292,7 +292,7 @@ class RsyncSync(NewBase):
14 self._process_exitcode(exitcode, dosyncuri, out, maxretries)
15
16 # if synced successfully, verify now
17 - if exitcode == 0 and not local_state_unchanged and self.verify_metamanifest:
18 + if exitcode == 0 and self.verify_metamanifest:
19 if gemato is None:
20 writemsg_level("!!! Unable to verify: gemato not found\n",
21 level=logging.ERROR, noiselevel=-1)
22 @@ -315,6 +315,8 @@ class RsyncSync(NewBase):
23 openpgp_env.refresh_keys()
24 out.eend(0)
25
26 + # we always verify the Manifest signature, in case
27 + # we had to deal with key revocation case
28 m = gemato.recursiveloader.ManifestRecursiveLoader(
29 os.path.join(self.repo.location, 'Manifest'),
30 verify_openpgp=True,
31 @@ -336,9 +338,12 @@ class RsyncSync(NewBase):
32 out.einfo('- timestamp: %s UTC' % (
33 m.openpgp_signature.timestamp))
34
35 - out.ebegin('Verifying %s' % (self.repo.location,))
36 - m.assert_directory_verifies()
37 - out.eend(0)
38 + # if nothing has changed, skip the actual Manifest
39 + # verification
40 + if not local_state_unchanged:
41 + out.ebegin('Verifying %s' % (self.repo.location,))
42 + m.assert_directory_verifies()
43 + out.eend(0)
44 except Exception as e:
45 writemsg_level("!!! Manifest verification failed:\n%s\n"
46 % (e,),
47 --
48 2.16.1
Report Message
Find on MARC Find on Google Groups