1 |
On Fri, 12 Jun 2020 16:51:51 -0700 |
2 |
Zac Medico <zmedico@g.o> wrote: |
3 |
|
4 |
> Add a sync-openpgp-key-refresh option that makes it possible to |
5 |
> disable key refresh, which may be useful in cases when it is not |
6 |
> possible to refresh keys. |
7 |
> |
8 |
> Key refresh is enabled by default, and if it is disabled then |
9 |
> the SyncBase._refresh_keys method will output an ewarn message |
10 |
> like this when the --quiet option is not enabled: |
11 |
> |
12 |
> * Key refresh is disabled via a repos.conf sync-openpgp-key-refresh |
13 |
> * setting, and this is a security vulnerability because it prevents |
14 |
> * detection of revoked keys! |
15 |
> |
16 |
> Bug: https://bugs.gentoo.org/661518 |
17 |
> Signed-off-by: Zac Medico <zmedico@g.o> |
18 |
> --- |
19 |
> lib/portage/repository/config.py | 10 +++++++++- |
20 |
> lib/portage/sync/syncbase.py | 9 ++++++++- |
21 |
> man/portage.5 | 9 ++++++++- |
22 |
> 3 files changed, 25 insertions(+), 3 deletions(-) |
23 |
> |
24 |
> diff --git a/lib/portage/repository/config.py |
25 |
> b/lib/portage/repository/config.py index 50ab18026..6155c130a 100644 |
26 |
> --- a/lib/portage/repository/config.py |
27 |
> +++ b/lib/portage/repository/config.py |
28 |
> @@ -1,4 +1,4 @@ |
29 |
> -# Copyright 2010-2019 Gentoo Authors |
30 |
> +# Copyright 2010-2020 Gentoo Authors |
31 |
> # Distributed under the terms of the GNU General Public License v2 |
32 |
> |
33 |
> from __future__ import unicode_literals |
34 |
> @@ -113,6 +113,7 @@ class RepoConfig(object): |
35 |
> 'sync_hooks_only_on_change', |
36 |
> 'sync_openpgp_keyserver', |
37 |
> 'sync_openpgp_key_path', |
38 |
> + 'sync_openpgp_key_refresh', |
39 |
> 'sync_openpgp_key_refresh_retry_count', |
40 |
> 'sync_openpgp_key_refresh_retry_delay_exp_base', |
41 |
> 'sync_openpgp_key_refresh_retry_delay_max', |
42 |
> @@ -233,6 +234,9 @@ class RepoConfig(object): |
43 |
> self.sync_openpgp_key_path = repo_opts.get( |
44 |
> 'sync-openpgp-key-path', None) |
45 |
> |
46 |
> + self.sync_openpgp_key_refresh = repo_opts.get( |
47 |
> + 'sync-openpgp-key-refresh', 'true').lower() |
48 |
> in ('true', 'yes') + |
49 |
> for k in ('sync_openpgp_key_refresh_retry_count', |
50 |
> 'sync_openpgp_key_refresh_retry_delay_exp_base', |
51 |
> 'sync_openpgp_key_refresh_retry_delay_max', |
52 |
> @@ -497,6 +501,8 @@ class RepoConfig(object): |
53 |
> repo_msg.append(indent + "location: " + |
54 |
> self.location) if not self.strict_misc_digests: |
55 |
> repo_msg.append(indent + |
56 |
> "strict-misc-digests: false") |
57 |
> + if not self.sync_openpgp_key_refresh: |
58 |
> + repo_msg.append(indent + |
59 |
> "sync-openpgp-key-refresh: no") if self.sync_type: |
60 |
> repo_msg.append(indent + "sync-type: " + |
61 |
> self.sync_type) if self.sync_umask: |
62 |
> @@ -609,6 +615,7 @@ class RepoConfigLoader(object): |
63 |
> 'sync_hooks_only_on_change', |
64 |
> 'sync_openpgp_keyserver', |
65 |
> 'sync_openpgp_key_path', |
66 |
> + |
67 |
> 'sync_openpgp_key_refresh', 'sync_openpgp_key_refresh_retry_count', |
68 |
> 'sync_openpgp_key_refresh_retry_delay_exp_base', |
69 |
> 'sync_openpgp_key_refresh_retry_delay_max', |
70 |
> @@ -1047,6 +1054,7 @@ class RepoConfigLoader(object): |
71 |
> bool_keys = ( |
72 |
> "strict_misc_digests", |
73 |
> "sync_allow_hardlinks", |
74 |
> + "sync_openpgp_key_refresh", |
75 |
> "sync_rcu", |
76 |
> ) |
77 |
> str_or_int_keys = ( |
78 |
> diff --git a/lib/portage/sync/syncbase.py |
79 |
> b/lib/portage/sync/syncbase.py index 46644d68e..74818a420 100644 |
80 |
> --- a/lib/portage/sync/syncbase.py |
81 |
> +++ b/lib/portage/sync/syncbase.py |
82 |
> @@ -1,4 +1,4 @@ |
83 |
> -# Copyright 2014-2018 Gentoo Foundation |
84 |
> +# Copyright 2014-2020 Gentoo Authors |
85 |
> # Distributed under the terms of the GNU General Public License v2 |
86 |
> |
87 |
> ''' |
88 |
> @@ -252,6 +252,13 @@ class SyncBase(object): |
89 |
> @type openpgp_env: gemato.openpgp.OpenPGPEnvironment |
90 |
> """ |
91 |
> out = portage.output.EOutput(quiet=('--quiet' in |
92 |
> self.options['emerge_config'].opts)) + |
93 |
> + if not self.repo.sync_openpgp_key_refresh: |
94 |
> + out.ewarn('Key refresh is disabled via a |
95 |
> repos.conf sync-openpgp-key-refresh') |
96 |
> + out.ewarn('setting, and this is a security |
97 |
> vulnerability because it prevents') |
98 |
> + out.ewarn('detection of revoked keys!') |
99 |
> + return |
100 |
> + |
101 |
> out.ebegin('Refreshing keys via WKD') |
102 |
> if openpgp_env.refresh_keys_wkd(): |
103 |
> out.eend(0) |
104 |
> diff --git a/man/portage.5 b/man/portage.5 |
105 |
> index 36c871123..136ebaafe 100644 |
106 |
> --- a/man/portage.5 |
107 |
> +++ b/man/portage.5 |
108 |
> @@ -1,4 +1,4 @@ |
109 |
> -.TH "PORTAGE" "5" "Apr 2019" "Portage VERSION" "Portage" |
110 |
> +.TH "PORTAGE" "5" "Jun 2020" "Portage VERSION" "Portage" |
111 |
> .SH NAME |
112 |
> portage \- the heart of Gentoo |
113 |
> .SH "DESCRIPTION" |
114 |
> @@ -1124,6 +1124,13 @@ Path to the OpenPGP key(ring) used to verify |
115 |
> received repository. Used only for protocols supporting cryptographic |
116 |
> verification, provided that the respective verification option is |
117 |
> enabled. If unset, the user's keyring is used. |
118 |
> +.TP |
119 |
> +.B sync\-openpgp\-key\-refresh = yes |
120 |
> +Enable OpenPGP key(ring) refresh. This option is enabled by default. |
121 |
> + |
122 |
> +\fBWarning\fR: It is a security vulnerability to disable this option |
123 |
> +because this will prevent detection of revoked keys! |
124 |
> + |
125 |
> .TP |
126 |
> .B sync\-openpgp\-key\-refresh\-retry\-count = 40 |
127 |
> Maximum number of times to retry key refresh if it fails. Between |
128 |
> each |
129 |
|
130 |
|
131 |
Is this something we can override with emaint sync in order to refresh |
132 |
the keys on demand? This would be the same as emaint sync ability to |
133 |
ignore the sync = no for manaual syncing on demand only. |
134 |
|
135 |
Possibly add an option to emaint sync that causes a refresh of the key. |