[gentoo-portage-dev] [PATCH v3] rsync: Introduce support for running full-tree gemato verification - gentoo-portage-dev

From:	"Michał Górny" <mgorny@g.o>
To:	gentoo-portage-dev@l.g.o
Cc:	"Michał Górny" <mgorny@g.o>
Subject:	[gentoo-portage-dev] [PATCH v3] rsync: Introduce support for running full-tree gemato verification
Date:	Wed, 24 Jan 2018 21:19:46
Message-Id:	`20180124211940.21481-1-mgorny@gentoo.org`

1

Add two new configuration options to rsync repositories:

2

sync-rsync-verify-metamanifest and sync-rsync-openpgp-key-path.

3

The first controls whether gemato verification is run for

4

the repository (defaults to true for ::gentoo, false otherwise),

5

the second makes it possible to override the key path for custom

6

repositories.

7

---

8

 cnf/repos.conf                             |  1 +

9

 man/portage.5                              | 10 ++++++++++

10

 pym/portage/sync/modules/rsync/__init__.py |  4 +++-

11

 pym/portage/sync/modules/rsync/rsync.py    | 20 +++++++++++++++++++-

12

 4 files changed, 33 insertions(+), 2 deletions(-)

13

14

v3: now with manpage fix ;-)

15

16

diff --git a/cnf/repos.conf b/cnf/repos.conf

17

index 062fc0d10..644687515 100644

18

--- a/cnf/repos.conf

19

+++ b/cnf/repos.conf

20

@@ -6,6 +6,7 @@ location = /usr/portage

21

 sync-type = rsync

22

 sync-uri = rsync://rsync.gentoo.org/gentoo-portage

23

 auto-sync = yes

24

+sync-rsync-verify-metamanifest = yes

25

26

 # for daily squashfs snapshots

27

 #sync-type = squashdelta

28

diff --git a/man/portage.5 b/man/portage.5

29

index e724e1f08..b658b9f68 100644

30

--- a/man/portage.5

31

+++ b/man/portage.5

32

@@ -1071,10 +1071,20 @@ Extra options to give to rsync on repository synchronization. It takes

33

 precedence over a declaration in [DEFAULT] section, that takes

34

 precedence over PORTAGE_RSYNC_EXTRA_OPTS.

35

.TP

36

+.B sync-rsync-openpgp-key-path

37

+Path to the OpenPGP key(ring) used to verify MetaManifest. Used only

38

+if \fBsync-rsync-verify-metamanifest\fR is enabled. Defaults to

39

+\fB/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg\fR (path

40

+used by \fBapp-crypt/gentoo-keys\fR).

41

+.TP

42

 .B sync-rsync-vcs-ignore = true|false

43

 Ignore vcs directories that may be present in the repository. It is the

44

 user's responsibility to set sync-rsync-extra-opts to protect vcs

45

 directories if appropriate.

46

+.TP

47

+.B sync-rsync-verify-metamanifest = true|false

48

+Require the repository to contain a signed MetaManifest and verify

49

+it using \fBapp-portage/gemato\fR. Defaults to false.

50

51

.RE

52

53

diff --git a/pym/portage/sync/modules/rsync/__init__.py b/pym/portage/sync/modules/rsync/__init__.py

54

index c2fdc4188..df9a1995a 100644

55

--- a/pym/portage/sync/modules/rsync/__init__.py

56

+++ b/pym/portage/sync/modules/rsync/__init__.py

57

@@ -1,4 +1,4 @@

58

-# Copyright 2014 Gentoo Foundation

59

+# Copyright 2014-2018 Gentoo Foundation

60

 # Distributed under the terms of the GNU General Public License v2

61

62

 doc = """Rsync plug-in module for portage.

63

@@ -27,7 +27,9 @@ module_spec = {

64

 			'validate_config': CheckSyncConfig,

65

 			'module_specific_options': (

66

 				'sync-rsync-extra-opts',

67

+				'sync-rsync-openpgp-key-path',

68

 				'sync-rsync-vcs-ignore',

69

+				'sync-rsync-verify-metamanifest',

70

),

71

}

72

}

73

diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py

74

index c80641ba3..613bedd0c 100644

75

--- a/pym/portage/sync/modules/rsync/rsync.py

76

+++ b/pym/portage/sync/modules/rsync/rsync.py

77

@@ -1,4 +1,4 @@

78

-# Copyright 1999-2015 Gentoo Foundation

79

+# Copyright 1999-2018 Gentoo Foundation

80

 # Distributed under the terms of the GNU General Public License v2

81

82

 import sys

83

@@ -82,6 +82,17 @@ class RsyncSync(NewBase):

84

 			self.extra_rsync_opts.extend(portage.util.shlex_split(

85

 				self.repo.module_specific_options['sync-rsync-extra-opts']))

86

87

+		# Process GLEP74 verification options.

88

+		# Default verification to 'on' for ::gentoo, 'off' otherwise.

89

+		self.verify_metamanifest = (

90

+				self.repo.module_specific_options.get(

91

+					'sync-rsync-verify-metamanifest', False))

92

+		# Default to gentoo-keys keyring.

93

+		self.openpgp_key_path = (

94

+				self.repo.module_specific_options.get(

95

+					'sync-rsync-openpgp-key-path',

96

+					'/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg'))

97

+

98

 		# Real local timestamp file.

99

 		self.servertimestampfile = os.path.join(

100

 			self.repo.location, "metadata", "timestamp.chk")

101

@@ -259,6 +270,13 @@ class RsyncSync(NewBase):

102

 				exitcode = EXCEEDED_MAX_RETRIES

103

 				break

104

 		self._process_exitcode(exitcode, dosyncuri, out, maxretries)

105

+

106

+		# if synced successfully, verify now

107

+		if exitcode == 0 and self.verify_metamanifest:

108

+			command = ['gemato', 'verify', '-K', self.openpgp_key_path,

109

+					'-s', self.repo.location]

110

+			exitcode = portage.process.spawn(command, **self.spawn_kwargs)

111

+

112

 		return (exitcode, updatecache_flg)

113

114

115

--

116

2.16.1

1	Add two new configuration options to rsync repositories:
2	sync-rsync-verify-metamanifest and sync-rsync-openpgp-key-path.
3	The first controls whether gemato verification is run for
4	the repository (defaults to true for ::gentoo, false otherwise),
5	the second makes it possible to override the key path for custom
6	repositories.
7	---
8	cnf/repos.conf \| 1 +
9	man/portage.5 \| 10 ++++++++++
10	pym/portage/sync/modules/rsync/__init__.py \| 4 +++-
11	pym/portage/sync/modules/rsync/rsync.py \| 20 +++++++++++++++++++-
12	4 files changed, 33 insertions(+), 2 deletions(-)
13
14	v3: now with manpage fix ;-)
15
16	diff --git a/cnf/repos.conf b/cnf/repos.conf
17	index 062fc0d10..644687515 100644
18	--- a/cnf/repos.conf
19	+++ b/cnf/repos.conf
20	@@ -6,6 +6,7 @@ location = /usr/portage
21	sync-type = rsync
22	sync-uri = rsync://rsync.gentoo.org/gentoo-portage
23	auto-sync = yes
24	+sync-rsync-verify-metamanifest = yes
25
26	# for daily squashfs snapshots
27	#sync-type = squashdelta
28	diff --git a/man/portage.5 b/man/portage.5
29	index e724e1f08..b658b9f68 100644
30	--- a/man/portage.5
31	+++ b/man/portage.5
32	@@ -1071,10 +1071,20 @@ Extra options to give to rsync on repository synchronization. It takes
33	precedence over a declaration in [DEFAULT] section, that takes
34	precedence over PORTAGE_RSYNC_EXTRA_OPTS.
35	.TP
36	+.B sync-rsync-openpgp-key-path
37	+Path to the OpenPGP key(ring) used to verify MetaManifest. Used only
38	+if \fBsync-rsync-verify-metamanifest\fR is enabled. Defaults to
39	+\fB/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg\fR (path
40	+used by \fBapp-crypt/gentoo-keys\fR).
41	+.TP
42	.B sync-rsync-vcs-ignore = true\|false
43	Ignore vcs directories that may be present in the repository. It is the
44	user's responsibility to set sync-rsync-extra-opts to protect vcs
45	directories if appropriate.
46	+.TP
47	+.B sync-rsync-verify-metamanifest = true\|false
48	+Require the repository to contain a signed MetaManifest and verify
49	+it using \fBapp-portage/gemato\fR. Defaults to false.
50
51	.RE
52
53	diff --git a/pym/portage/sync/modules/rsync/__init__.py b/pym/portage/sync/modules/rsync/__init__.py
54	index c2fdc4188..df9a1995a 100644
55	--- a/pym/portage/sync/modules/rsync/__init__.py
56	+++ b/pym/portage/sync/modules/rsync/__init__.py
57	@@ -1,4 +1,4 @@
58	-# Copyright 2014 Gentoo Foundation
59	+# Copyright 2014-2018 Gentoo Foundation
60	# Distributed under the terms of the GNU General Public License v2
61
62	doc = """Rsync plug-in module for portage.
63	@@ -27,7 +27,9 @@ module_spec = {
64	'validate_config': CheckSyncConfig,
65	'module_specific_options': (
66	'sync-rsync-extra-opts',
67	+ 'sync-rsync-openpgp-key-path',
68	'sync-rsync-vcs-ignore',
69	+ 'sync-rsync-verify-metamanifest',
70	),
71	}
72	}
73	diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py
74	index c80641ba3..613bedd0c 100644
75	--- a/pym/portage/sync/modules/rsync/rsync.py
76	+++ b/pym/portage/sync/modules/rsync/rsync.py
77	@@ -1,4 +1,4 @@
78	-# Copyright 1999-2015 Gentoo Foundation
79	+# Copyright 1999-2018 Gentoo Foundation
80	# Distributed under the terms of the GNU General Public License v2
81
82	import sys
83	@@ -82,6 +82,17 @@ class RsyncSync(NewBase):
84	self.extra_rsync_opts.extend(portage.util.shlex_split(
85	self.repo.module_specific_options['sync-rsync-extra-opts']))
86
87	+ # Process GLEP74 verification options.
88	+ # Default verification to 'on' for ::gentoo, 'off' otherwise.
89	+ self.verify_metamanifest = (
90	+ self.repo.module_specific_options.get(
91	+ 'sync-rsync-verify-metamanifest', False))
92	+ # Default to gentoo-keys keyring.
93	+ self.openpgp_key_path = (
94	+ self.repo.module_specific_options.get(
95	+ 'sync-rsync-openpgp-key-path',
96	+ '/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg'))
97	+
98	# Real local timestamp file.
99	self.servertimestampfile = os.path.join(
100	self.repo.location, "metadata", "timestamp.chk")
101	@@ -259,6 +270,13 @@ class RsyncSync(NewBase):
102	exitcode = EXCEEDED_MAX_RETRIES
103	break
104	self._process_exitcode(exitcode, dosyncuri, out, maxretries)
105	+
106	+ # if synced successfully, verify now
107	+ if exitcode == 0 and self.verify_metamanifest:
108	+ command = ['gemato', 'verify', '-K', self.openpgp_key_path,
109	+ '-s', self.repo.location]
110	+ exitcode = portage.process.spawn(command, **self.spawn_kwargs)
111	+
112	return (exitcode, updatecache_flg)
113
114
115	--
116	2.16.1

Gentoo Archives: gentoo-portage-dev