[gentoo-portage-dev] [PATCH v4] rsync: Introduce support for running full-tree gemato verification - gentoo-portage-dev

From:	"Michał Górny" <mgorny@g.o>
To:	gentoo-portage-dev@l.g.o
Cc:	"Michał Górny" <mgorny@g.o>
Subject:	[gentoo-portage-dev] [PATCH v4] rsync: Introduce support for running full-tree gemato verification
Date:	Wed, 24 Jan 2018 21:36:32
Message-Id:	`20180124213625.29503-1-mgorny@gentoo.org`

1

Add two new configuration options to rsync repositories:

2

sync-rsync-verify-metamanifest and sync-rsync-openpgp-key-path.

3

The first controls whether gemato verification is run for

4

the repository (defaults to true for ::gentoo, false otherwise),

5

the second makes it possible to override the key path for custom

6

repositories.

7

---

8

 cnf/repos.conf                             |  2 ++

9

 man/portage.5                              |  9 +++++++++

10

 pym/portage/sync/modules/rsync/__init__.py |  4 +++-

11

 pym/portage/sync/modules/rsync/rsync.py    | 20 +++++++++++++++++++-

12

 4 files changed, 33 insertions(+), 2 deletions(-)

13

14

v4: also key option to repos.conf

15

16

diff --git a/cnf/repos.conf b/cnf/repos.conf

17

index 062fc0d10..0d2b1f4be 100644

18

--- a/cnf/repos.conf

19

+++ b/cnf/repos.conf

20

@@ -6,6 +6,8 @@ location = /usr/portage

21

 sync-type = rsync

22

 sync-uri = rsync://rsync.gentoo.org/gentoo-portage

23

 auto-sync = yes

24

+sync-rsync-verify-metamanifest = yes

25

+sync-rsync-openpgp-key-path = /var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg

26

27

 # for daily squashfs snapshots

28

 #sync-type = squashdelta

29

diff --git a/man/portage.5 b/man/portage.5

30

index e724e1f08..35bf8f03b 100644

31

--- a/man/portage.5

32

+++ b/man/portage.5

33

@@ -1071,10 +1071,19 @@ Extra options to give to rsync on repository synchronization. It takes

34

 precedence over a declaration in [DEFAULT] section, that takes

35

 precedence over PORTAGE_RSYNC_EXTRA_OPTS.

36

.TP

37

+.B sync-rsync-openpgp-key-path

38

+Path to the OpenPGP key(ring) used to verify MetaManifest. Used only

39

+if \fBsync-rsync-verify-metamanifest\fR is enabled. If unset,

40

+the user's keyring is used.

41

+.TP

42

 .B sync-rsync-vcs-ignore = true|false

43

 Ignore vcs directories that may be present in the repository. It is the

44

 user's responsibility to set sync-rsync-extra-opts to protect vcs

45

 directories if appropriate.

46

+.TP

47

+.B sync-rsync-verify-metamanifest = true|false

48

+Require the repository to contain a signed MetaManifest and verify

49

+it using \fBapp-portage/gemato\fR. Defaults to false.

50

51

.RE

52

53

diff --git a/pym/portage/sync/modules/rsync/__init__.py b/pym/portage/sync/modules/rsync/__init__.py

54

index c2fdc4188..df9a1995a 100644

55

--- a/pym/portage/sync/modules/rsync/__init__.py

56

+++ b/pym/portage/sync/modules/rsync/__init__.py

57

@@ -1,4 +1,4 @@

58

-# Copyright 2014 Gentoo Foundation

59

+# Copyright 2014-2018 Gentoo Foundation

60

 # Distributed under the terms of the GNU General Public License v2

61

62

 doc = """Rsync plug-in module for portage.

63

@@ -27,7 +27,9 @@ module_spec = {

64

 			'validate_config': CheckSyncConfig,

65

 			'module_specific_options': (

66

 				'sync-rsync-extra-opts',

67

+				'sync-rsync-openpgp-key-path',

68

 				'sync-rsync-vcs-ignore',

69

+				'sync-rsync-verify-metamanifest',

70

),

71

}

72

}

73

diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py

74

index c80641ba3..47f0e1ea3 100644

75

--- a/pym/portage/sync/modules/rsync/rsync.py

76

+++ b/pym/portage/sync/modules/rsync/rsync.py

77

@@ -1,4 +1,4 @@

78

-# Copyright 1999-2015 Gentoo Foundation

79

+# Copyright 1999-2018 Gentoo Foundation

80

 # Distributed under the terms of the GNU General Public License v2

81

82

 import sys

83

@@ -82,6 +82,16 @@ class RsyncSync(NewBase):

84

 			self.extra_rsync_opts.extend(portage.util.shlex_split(

85

 				self.repo.module_specific_options['sync-rsync-extra-opts']))

86

87

+		# Process GLEP74 verification options.

88

+		# Default verification to 'on' for ::gentoo, 'off' otherwise.

89

+		self.verify_metamanifest = (

90

+				self.repo.module_specific_options.get(

91

+					'sync-rsync-verify-metamanifest', False))

92

+		# Default to gentoo-keys keyring.

93

+		self.openpgp_key_path = (

94

+				self.repo.module_specific_options.get(

95

+					'sync-rsync-openpgp-key-path', None))

96

+

97

 		# Real local timestamp file.

98

 		self.servertimestampfile = os.path.join(

99

 			self.repo.location, "metadata", "timestamp.chk")

100

@@ -259,6 +269,14 @@ class RsyncSync(NewBase):

101

 				exitcode = EXCEEDED_MAX_RETRIES

102

 				break

103

 		self._process_exitcode(exitcode, dosyncuri, out, maxretries)

104

+

105

+		# if synced successfully, verify now

106

+		if exitcode == 0 and self.verify_metamanifest:

107

+			command = ['gemato', 'verify', '-s', self.repo.location]

108

+			if self.openpgp_key_path is not None:

109

+				command += ['-K', self.openpgp_key_path]

110

+			exitcode = portage.process.spawn(command, **self.spawn_kwargs)

111

+

112

 		return (exitcode, updatecache_flg)

113

114

115

--

116

2.16.1

Gentoo Archives: gentoo-portage-dev

Replies

1	Add two new configuration options to rsync repositories:
2	sync-rsync-verify-metamanifest and sync-rsync-openpgp-key-path.
3	The first controls whether gemato verification is run for
4	the repository (defaults to true for ::gentoo, false otherwise),
5	the second makes it possible to override the key path for custom
6	repositories.
7	---
8	cnf/repos.conf \| 2 ++
9	man/portage.5 \| 9 +++++++++
10	pym/portage/sync/modules/rsync/__init__.py \| 4 +++-
11	pym/portage/sync/modules/rsync/rsync.py \| 20 +++++++++++++++++++-
12	4 files changed, 33 insertions(+), 2 deletions(-)
13
14	v4: also key option to repos.conf
15
16	diff --git a/cnf/repos.conf b/cnf/repos.conf
17	index 062fc0d10..0d2b1f4be 100644
18	--- a/cnf/repos.conf
19	+++ b/cnf/repos.conf
20	@@ -6,6 +6,8 @@ location = /usr/portage
21	sync-type = rsync
22	sync-uri = rsync://rsync.gentoo.org/gentoo-portage
23	auto-sync = yes
24	+sync-rsync-verify-metamanifest = yes
25	+sync-rsync-openpgp-key-path = /var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg
26
27	# for daily squashfs snapshots
28	#sync-type = squashdelta
29	diff --git a/man/portage.5 b/man/portage.5
30	index e724e1f08..35bf8f03b 100644
31	--- a/man/portage.5
32	+++ b/man/portage.5
33	@@ -1071,10 +1071,19 @@ Extra options to give to rsync on repository synchronization. It takes
34	precedence over a declaration in [DEFAULT] section, that takes
35	precedence over PORTAGE_RSYNC_EXTRA_OPTS.
36	.TP
37	+.B sync-rsync-openpgp-key-path
38	+Path to the OpenPGP key(ring) used to verify MetaManifest. Used only
39	+if \fBsync-rsync-verify-metamanifest\fR is enabled. If unset,
40	+the user's keyring is used.
41	+.TP
42	.B sync-rsync-vcs-ignore = true\|false
43	Ignore vcs directories that may be present in the repository. It is the
44	user's responsibility to set sync-rsync-extra-opts to protect vcs
45	directories if appropriate.
46	+.TP
47	+.B sync-rsync-verify-metamanifest = true\|false
48	+Require the repository to contain a signed MetaManifest and verify
49	+it using \fBapp-portage/gemato\fR. Defaults to false.
50
51	.RE
52
53	diff --git a/pym/portage/sync/modules/rsync/__init__.py b/pym/portage/sync/modules/rsync/__init__.py
54	index c2fdc4188..df9a1995a 100644
55	--- a/pym/portage/sync/modules/rsync/__init__.py
56	+++ b/pym/portage/sync/modules/rsync/__init__.py
57	@@ -1,4 +1,4 @@
58	-# Copyright 2014 Gentoo Foundation
59	+# Copyright 2014-2018 Gentoo Foundation
60	# Distributed under the terms of the GNU General Public License v2
61
62	doc = """Rsync plug-in module for portage.
63	@@ -27,7 +27,9 @@ module_spec = {
64	'validate_config': CheckSyncConfig,
65	'module_specific_options': (
66	'sync-rsync-extra-opts',
67	+ 'sync-rsync-openpgp-key-path',
68	'sync-rsync-vcs-ignore',
69	+ 'sync-rsync-verify-metamanifest',
70	),
71	}
72	}
73	diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py
74	index c80641ba3..47f0e1ea3 100644
75	--- a/pym/portage/sync/modules/rsync/rsync.py
76	+++ b/pym/portage/sync/modules/rsync/rsync.py
77	@@ -1,4 +1,4 @@
78	-# Copyright 1999-2015 Gentoo Foundation
79	+# Copyright 1999-2018 Gentoo Foundation
80	# Distributed under the terms of the GNU General Public License v2
81
82	import sys
83	@@ -82,6 +82,16 @@ class RsyncSync(NewBase):
84	self.extra_rsync_opts.extend(portage.util.shlex_split(
85	self.repo.module_specific_options['sync-rsync-extra-opts']))
86
87	+ # Process GLEP74 verification options.
88	+ # Default verification to 'on' for ::gentoo, 'off' otherwise.
89	+ self.verify_metamanifest = (
90	+ self.repo.module_specific_options.get(
91	+ 'sync-rsync-verify-metamanifest', False))
92	+ # Default to gentoo-keys keyring.
93	+ self.openpgp_key_path = (
94	+ self.repo.module_specific_options.get(
95	+ 'sync-rsync-openpgp-key-path', None))
96	+
97	# Real local timestamp file.
98	self.servertimestampfile = os.path.join(
99	self.repo.location, "metadata", "timestamp.chk")
100	@@ -259,6 +269,14 @@ class RsyncSync(NewBase):
101	exitcode = EXCEEDED_MAX_RETRIES
102	break
103	self._process_exitcode(exitcode, dosyncuri, out, maxretries)
104	+
105	+ # if synced successfully, verify now
106	+ if exitcode == 0 and self.verify_metamanifest:
107	+ command = ['gemato', 'verify', '-s', self.repo.location]
108	+ if self.openpgp_key_path is not None:
109	+ command += ['-K', self.openpgp_key_path]
110	+ exitcode = portage.process.spawn(command, **self.spawn_kwargs)
111	+
112	return (exitcode, updatecache_flg)
113
114
115	--
116	2.16.1