Re: [gentoo-portage-dev] [PATCH] repos.conf: add bool sync-openpgp-key-refresh option (bug 661518) - gentoo-portage-dev

From:	Brian Dolbec <dolsen@g.o>
To:	gentoo-portage-dev@l.g.o
Subject:	Re: [gentoo-portage-dev] [PATCH] repos.conf: add bool sync-openpgp-key-refresh option (bug 661518)
Date:	Sat, 13 Jun 2020 01:53:07
Message-Id:	`20200612184808.0aa9c18d@storm`
In Reply to:	[gentoo-portage-dev] [PATCH] repos.conf: add bool sync-openpgp-key-refresh option (bug 661518) by Zac Medico

1

On Fri, 12 Jun 2020 16:51:51 -0700

2

Zac Medico <zmedico@g.o> wrote:

3

4

> Add a sync-openpgp-key-refresh option that makes it possible to

5

> disable key refresh, which may be useful in cases when it is not

6

> possible to refresh keys.

7

>

8

> Key refresh is enabled by default, and if it is disabled then

9

> the SyncBase._refresh_keys method will output an ewarn message

10

> like this when the --quiet option is not enabled:

11

>

12

>  * Key refresh is disabled via a repos.conf sync-openpgp-key-refresh

13

>  * setting, and this is a security vulnerability because it prevents

14

>  * detection of revoked keys!

15

>

16

> Bug: https://bugs.gentoo.org/661518

17

> Signed-off-by: Zac Medico <zmedico@g.o>

18

> ---

19

>  lib/portage/repository/config.py | 10 +++++++++-

20

>  lib/portage/sync/syncbase.py     |  9 ++++++++-

21

>  man/portage.5                    |  9 ++++++++-

22

>  3 files changed, 25 insertions(+), 3 deletions(-)

23

>

24

> diff --git a/lib/portage/repository/config.py

25

> b/lib/portage/repository/config.py index 50ab18026..6155c130a 100644

26

> --- a/lib/portage/repository/config.py

27

> +++ b/lib/portage/repository/config.py

28

> @@ -1,4 +1,4 @@

29

> -# Copyright 2010-2019 Gentoo Authors

30

> +# Copyright 2010-2020 Gentoo Authors

31

>  # Distributed under the terms of the GNU General Public License v2

32

>

33

>  from __future__ import unicode_literals

34

> @@ -113,6 +113,7 @@ class RepoConfig(object):

35

>  		'sync_hooks_only_on_change',

36

>  		'sync_openpgp_keyserver',

37

>  		'sync_openpgp_key_path',

38

> +		'sync_openpgp_key_refresh',

39

>  		'sync_openpgp_key_refresh_retry_count',

40

>  		'sync_openpgp_key_refresh_retry_delay_exp_base',

41

>  		'sync_openpgp_key_refresh_retry_delay_max',

42

> @@ -233,6 +234,9 @@ class RepoConfig(object):

43

>  		self.sync_openpgp_key_path = repo_opts.get(

44

>  			'sync-openpgp-key-path', None)

45

>

46

> +		self.sync_openpgp_key_refresh = repo_opts.get(

47

> +			'sync-openpgp-key-refresh', 'true').lower()

48

> in ('true', 'yes') +

49

>  		for k in ('sync_openpgp_key_refresh_retry_count',

50

>  			'sync_openpgp_key_refresh_retry_delay_exp_base',

51

>  			'sync_openpgp_key_refresh_retry_delay_max',

52

> @@ -497,6 +501,8 @@ class RepoConfig(object):

53

>  			repo_msg.append(indent + "location: " +

54

> self.location) if not self.strict_misc_digests:

55

>  			repo_msg.append(indent +

56

> "strict-misc-digests: false")

57

> +		if not self.sync_openpgp_key_refresh:

58

> +			repo_msg.append(indent +

59

> "sync-openpgp-key-refresh: no") if self.sync_type:

60

>  			repo_msg.append(indent + "sync-type: " +

61

> self.sync_type) if self.sync_umask:

62

> @@ -609,6 +615,7 @@ class RepoConfigLoader(object):

63

>  							'sync_hooks_only_on_change',

64

>  							'sync_openpgp_keyserver',

65

>  							'sync_openpgp_key_path',

66

> +

67

> 'sync_openpgp_key_refresh', 'sync_openpgp_key_refresh_retry_count',

68

>  							'sync_openpgp_key_refresh_retry_delay_exp_base',

69

>  							'sync_openpgp_key_refresh_retry_delay_max',

70

> @@ -1047,6 +1054,7 @@ class RepoConfigLoader(object):

71

>  		bool_keys = (

72

>  			"strict_misc_digests",

73

>  			"sync_allow_hardlinks",

74

> +			"sync_openpgp_key_refresh",

75

>  			"sync_rcu",

76

>  		)

77

>  		str_or_int_keys = (

78

> diff --git a/lib/portage/sync/syncbase.py

79

> b/lib/portage/sync/syncbase.py index 46644d68e..74818a420 100644

80

> --- a/lib/portage/sync/syncbase.py

81

> +++ b/lib/portage/sync/syncbase.py

82

> @@ -1,4 +1,4 @@

83

> -# Copyright 2014-2018 Gentoo Foundation

84

> +# Copyright 2014-2020 Gentoo Authors

85

>  # Distributed under the terms of the GNU General Public License v2

86

>

87

>  '''

88

> @@ -252,6 +252,13 @@ class SyncBase(object):

89

>  		@type openpgp_env: gemato.openpgp.OpenPGPEnvironment

90

>  		"""

91

>  		out = portage.output.EOutput(quiet=('--quiet' in

92

> self.options['emerge_config'].opts)) +

93

> +		if not self.repo.sync_openpgp_key_refresh:

94

> +			out.ewarn('Key refresh is disabled via a

95

> repos.conf sync-openpgp-key-refresh')

96

> +			out.ewarn('setting, and this is a security

97

> vulnerability because it prevents')

98

> +			out.ewarn('detection of revoked keys!')

99

> +			return

100

> +

101

>  		out.ebegin('Refreshing keys via WKD')

102

>  		if openpgp_env.refresh_keys_wkd():

103

>  			out.eend(0)

104

> diff --git a/man/portage.5 b/man/portage.5

105

> index 36c871123..136ebaafe 100644

106

> --- a/man/portage.5

107

> +++ b/man/portage.5

108

> @@ -1,4 +1,4 @@

109

> -.TH "PORTAGE" "5" "Apr 2019" "Portage VERSION" "Portage"

110

> +.TH "PORTAGE" "5" "Jun 2020" "Portage VERSION" "Portage"

111

>  .SH NAME

112

>  portage \- the heart of Gentoo

113

>  .SH "DESCRIPTION"

114

> @@ -1124,6 +1124,13 @@ Path to the OpenPGP key(ring) used to verify

115

> received repository. Used only for protocols supporting cryptographic

116

> verification, provided that the respective verification option is

117

> enabled. If unset, the user's keyring is used.

118

> +.TP

119

> +.B sync\-openpgp\-key\-refresh = yes

120

> +Enable OpenPGP key(ring) refresh. This option is enabled by default.

121

> +

122

> +\fBWarning\fR: It is a security vulnerability to disable this option

123

> +because this will prevent detection of revoked keys!

124

> +

125

>  .TP

126

>  .B sync\-openpgp\-key\-refresh\-retry\-count = 40

127

>  Maximum number of times to retry key refresh if it fails. Between

128

> each

129

130

131

Is this something we can override with emaint sync in order to refresh

132

the keys on demand?   This would be the same as emaint sync ability to

133

ignore the sync = no for manaual syncing on demand only.

134

135

Possibly add an option to emaint sync that causes a refresh of the key.

Gentoo Archives: gentoo-portage-dev

Replies

1	On Fri, 12 Jun 2020 16:51:51 -0700
2	Zac Medico <zmedico@g.o> wrote:
3
4	> Add a sync-openpgp-key-refresh option that makes it possible to
5	> disable key refresh, which may be useful in cases when it is not
6	> possible to refresh keys.
7	>
8	> Key refresh is enabled by default, and if it is disabled then
9	> the SyncBase._refresh_keys method will output an ewarn message
10	> like this when the --quiet option is not enabled:
11	>
12	> * Key refresh is disabled via a repos.conf sync-openpgp-key-refresh
13	> * setting, and this is a security vulnerability because it prevents
14	> * detection of revoked keys!
15	>
16	> Bug: https://bugs.gentoo.org/661518
17	> Signed-off-by: Zac Medico <zmedico@g.o>
18	> ---
19	> lib/portage/repository/config.py \| 10 +++++++++-
20	> lib/portage/sync/syncbase.py \| 9 ++++++++-
21	> man/portage.5 \| 9 ++++++++-
22	> 3 files changed, 25 insertions(+), 3 deletions(-)
23	>
24	> diff --git a/lib/portage/repository/config.py
25	> b/lib/portage/repository/config.py index 50ab18026..6155c130a 100644
26	> --- a/lib/portage/repository/config.py
27	> +++ b/lib/portage/repository/config.py
28	> @@ -1,4 +1,4 @@
29	> -# Copyright 2010-2019 Gentoo Authors
30	> +# Copyright 2010-2020 Gentoo Authors
31	> # Distributed under the terms of the GNU General Public License v2
32	>
33	> from __future__ import unicode_literals
34	> @@ -113,6 +113,7 @@ class RepoConfig(object):
35	> 'sync_hooks_only_on_change',
36	> 'sync_openpgp_keyserver',
37	> 'sync_openpgp_key_path',
38	> + 'sync_openpgp_key_refresh',
39	> 'sync_openpgp_key_refresh_retry_count',
40	> 'sync_openpgp_key_refresh_retry_delay_exp_base',
41	> 'sync_openpgp_key_refresh_retry_delay_max',
42	> @@ -233,6 +234,9 @@ class RepoConfig(object):
43	> self.sync_openpgp_key_path = repo_opts.get(
44	> 'sync-openpgp-key-path', None)
45	>
46	> + self.sync_openpgp_key_refresh = repo_opts.get(
47	> + 'sync-openpgp-key-refresh', 'true').lower()
48	> in ('true', 'yes') +
49	> for k in ('sync_openpgp_key_refresh_retry_count',
50	> 'sync_openpgp_key_refresh_retry_delay_exp_base',
51	> 'sync_openpgp_key_refresh_retry_delay_max',
52	> @@ -497,6 +501,8 @@ class RepoConfig(object):
53	> repo_msg.append(indent + "location: " +
54	> self.location) if not self.strict_misc_digests:
55	> repo_msg.append(indent +
56	> "strict-misc-digests: false")
57	> + if not self.sync_openpgp_key_refresh:
58	> + repo_msg.append(indent +
59	> "sync-openpgp-key-refresh: no") if self.sync_type:
60	> repo_msg.append(indent + "sync-type: " +
61	> self.sync_type) if self.sync_umask:
62	> @@ -609,6 +615,7 @@ class RepoConfigLoader(object):
63	> 'sync_hooks_only_on_change',
64	> 'sync_openpgp_keyserver',
65	> 'sync_openpgp_key_path',
66	> +
67	> 'sync_openpgp_key_refresh', 'sync_openpgp_key_refresh_retry_count',
68	> 'sync_openpgp_key_refresh_retry_delay_exp_base',
69	> 'sync_openpgp_key_refresh_retry_delay_max',
70	> @@ -1047,6 +1054,7 @@ class RepoConfigLoader(object):
71	> bool_keys = (
72	> "strict_misc_digests",
73	> "sync_allow_hardlinks",
74	> + "sync_openpgp_key_refresh",
75	> "sync_rcu",
76	> )
77	> str_or_int_keys = (
78	> diff --git a/lib/portage/sync/syncbase.py
79	> b/lib/portage/sync/syncbase.py index 46644d68e..74818a420 100644
80	> --- a/lib/portage/sync/syncbase.py
81	> +++ b/lib/portage/sync/syncbase.py
82	> @@ -1,4 +1,4 @@
83	> -# Copyright 2014-2018 Gentoo Foundation
84	> +# Copyright 2014-2020 Gentoo Authors
85	> # Distributed under the terms of the GNU General Public License v2
86	>
87	> '''
88	> @@ -252,6 +252,13 @@ class SyncBase(object):
89	> @type openpgp_env: gemato.openpgp.OpenPGPEnvironment
90	> """
91	> out = portage.output.EOutput(quiet=('--quiet' in
92	> self.options['emerge_config'].opts)) +
93	> + if not self.repo.sync_openpgp_key_refresh:
94	> + out.ewarn('Key refresh is disabled via a
95	> repos.conf sync-openpgp-key-refresh')
96	> + out.ewarn('setting, and this is a security
97	> vulnerability because it prevents')
98	> + out.ewarn('detection of revoked keys!')
99	> + return
100	> +
101	> out.ebegin('Refreshing keys via WKD')
102	> if openpgp_env.refresh_keys_wkd():
103	> out.eend(0)
104	> diff --git a/man/portage.5 b/man/portage.5
105	> index 36c871123..136ebaafe 100644
106	> --- a/man/portage.5
107	> +++ b/man/portage.5
108	> @@ -1,4 +1,4 @@
109	> -.TH "PORTAGE" "5" "Apr 2019" "Portage VERSION" "Portage"
110	> +.TH "PORTAGE" "5" "Jun 2020" "Portage VERSION" "Portage"
111	> .SH NAME
112	> portage \- the heart of Gentoo
113	> .SH "DESCRIPTION"
114	> @@ -1124,6 +1124,13 @@ Path to the OpenPGP key(ring) used to verify
115	> received repository. Used only for protocols supporting cryptographic
116	> verification, provided that the respective verification option is
117	> enabled. If unset, the user's keyring is used.
118	> +.TP
119	> +.B sync\-openpgp\-key\-refresh = yes
120	> +Enable OpenPGP key(ring) refresh. This option is enabled by default.
121	> +
122	> +\fBWarning\fR: It is a security vulnerability to disable this option
123	> +because this will prevent detection of revoked keys!
124	> +
125	> .TP
126	> .B sync\-openpgp\-key\-refresh\-retry\-count = 40
127	> Maximum number of times to retry key refresh if it fails. Between
128	> each
129
130
131	Is this something we can override with emaint sync in order to refresh
132	the keys on demand? This would be the same as emaint sync ability to
133	ignore the sync = no for manaual syncing on demand only.
134
135	Possibly add an option to emaint sync that causes a refresh of the key.