1 |
Add two new configuration options to rsync repositories: |
2 |
sync-rsync-verify-metamanifest and sync-rsync-openpgp-key-path. |
3 |
The first controls whether gemato verification is run for |
4 |
the repository (defaults to true for ::gentoo, false otherwise), |
5 |
the second makes it possible to override the key path for custom |
6 |
repositories. |
7 |
--- |
8 |
cnf/repos.conf | 2 ++ |
9 |
man/portage.5 | 9 +++++++++ |
10 |
pym/portage/sync/modules/rsync/__init__.py | 4 +++- |
11 |
pym/portage/sync/modules/rsync/rsync.py | 20 +++++++++++++++++++- |
12 |
4 files changed, 33 insertions(+), 2 deletions(-) |
13 |
|
14 |
v4: also key option to repos.conf |
15 |
|
16 |
diff --git a/cnf/repos.conf b/cnf/repos.conf |
17 |
index 062fc0d10..0d2b1f4be 100644 |
18 |
--- a/cnf/repos.conf |
19 |
+++ b/cnf/repos.conf |
20 |
@@ -6,6 +6,8 @@ location = /usr/portage |
21 |
sync-type = rsync |
22 |
sync-uri = rsync://rsync.gentoo.org/gentoo-portage |
23 |
auto-sync = yes |
24 |
+sync-rsync-verify-metamanifest = yes |
25 |
+sync-rsync-openpgp-key-path = /var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg |
26 |
|
27 |
# for daily squashfs snapshots |
28 |
#sync-type = squashdelta |
29 |
diff --git a/man/portage.5 b/man/portage.5 |
30 |
index e724e1f08..35bf8f03b 100644 |
31 |
--- a/man/portage.5 |
32 |
+++ b/man/portage.5 |
33 |
@@ -1071,10 +1071,19 @@ Extra options to give to rsync on repository synchronization. It takes |
34 |
precedence over a declaration in [DEFAULT] section, that takes |
35 |
precedence over PORTAGE_RSYNC_EXTRA_OPTS. |
36 |
.TP |
37 |
+.B sync-rsync-openpgp-key-path |
38 |
+Path to the OpenPGP key(ring) used to verify MetaManifest. Used only |
39 |
+if \fBsync-rsync-verify-metamanifest\fR is enabled. If unset, |
40 |
+the user's keyring is used. |
41 |
+.TP |
42 |
.B sync-rsync-vcs-ignore = true|false |
43 |
Ignore vcs directories that may be present in the repository. It is the |
44 |
user's responsibility to set sync-rsync-extra-opts to protect vcs |
45 |
directories if appropriate. |
46 |
+.TP |
47 |
+.B sync-rsync-verify-metamanifest = true|false |
48 |
+Require the repository to contain a signed MetaManifest and verify |
49 |
+it using \fBapp-portage/gemato\fR. Defaults to false. |
50 |
|
51 |
.RE |
52 |
|
53 |
diff --git a/pym/portage/sync/modules/rsync/__init__.py b/pym/portage/sync/modules/rsync/__init__.py |
54 |
index c2fdc4188..df9a1995a 100644 |
55 |
--- a/pym/portage/sync/modules/rsync/__init__.py |
56 |
+++ b/pym/portage/sync/modules/rsync/__init__.py |
57 |
@@ -1,4 +1,4 @@ |
58 |
-# Copyright 2014 Gentoo Foundation |
59 |
+# Copyright 2014-2018 Gentoo Foundation |
60 |
# Distributed under the terms of the GNU General Public License v2 |
61 |
|
62 |
doc = """Rsync plug-in module for portage. |
63 |
@@ -27,7 +27,9 @@ module_spec = { |
64 |
'validate_config': CheckSyncConfig, |
65 |
'module_specific_options': ( |
66 |
'sync-rsync-extra-opts', |
67 |
+ 'sync-rsync-openpgp-key-path', |
68 |
'sync-rsync-vcs-ignore', |
69 |
+ 'sync-rsync-verify-metamanifest', |
70 |
), |
71 |
} |
72 |
} |
73 |
diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py |
74 |
index c80641ba3..47f0e1ea3 100644 |
75 |
--- a/pym/portage/sync/modules/rsync/rsync.py |
76 |
+++ b/pym/portage/sync/modules/rsync/rsync.py |
77 |
@@ -1,4 +1,4 @@ |
78 |
-# Copyright 1999-2015 Gentoo Foundation |
79 |
+# Copyright 1999-2018 Gentoo Foundation |
80 |
# Distributed under the terms of the GNU General Public License v2 |
81 |
|
82 |
import sys |
83 |
@@ -82,6 +82,16 @@ class RsyncSync(NewBase): |
84 |
self.extra_rsync_opts.extend(portage.util.shlex_split( |
85 |
self.repo.module_specific_options['sync-rsync-extra-opts'])) |
86 |
|
87 |
+ # Process GLEP74 verification options. |
88 |
+ # Default verification to 'on' for ::gentoo, 'off' otherwise. |
89 |
+ self.verify_metamanifest = ( |
90 |
+ self.repo.module_specific_options.get( |
91 |
+ 'sync-rsync-verify-metamanifest', False)) |
92 |
+ # Default to gentoo-keys keyring. |
93 |
+ self.openpgp_key_path = ( |
94 |
+ self.repo.module_specific_options.get( |
95 |
+ 'sync-rsync-openpgp-key-path', None)) |
96 |
+ |
97 |
# Real local timestamp file. |
98 |
self.servertimestampfile = os.path.join( |
99 |
self.repo.location, "metadata", "timestamp.chk") |
100 |
@@ -259,6 +269,14 @@ class RsyncSync(NewBase): |
101 |
exitcode = EXCEEDED_MAX_RETRIES |
102 |
break |
103 |
self._process_exitcode(exitcode, dosyncuri, out, maxretries) |
104 |
+ |
105 |
+ # if synced successfully, verify now |
106 |
+ if exitcode == 0 and self.verify_metamanifest: |
107 |
+ command = ['gemato', 'verify', '-s', self.repo.location] |
108 |
+ if self.openpgp_key_path is not None: |
109 |
+ command += ['-K', self.openpgp_key_path] |
110 |
+ exitcode = portage.process.spawn(command, **self.spawn_kwargs) |
111 |
+ |
112 |
return (exitcode, updatecache_flg) |
113 |
|
114 |
|
115 |
-- |
116 |
2.16.1 |