Re: [gentoo-portage-dev] [PATCH] repos.conf: add bool sync-openpgp-key-refresh option (bug 661518) - gentoo-portage-dev

From:	Zac Medico <zmedico@g.o>
To:	gentoo-portage-dev@l.g.o, Brian Dolbec <dolsen@g.o>, "Rick \\\"Zero_Chaos\\\" Farina" <zerochaos@g.o>
Subject:	Re: [gentoo-portage-dev] [PATCH] repos.conf: add bool sync-openpgp-key-refresh option (bug 661518)
Date:	Sat, 13 Jun 2020 01:58:15
Message-Id:	`3ba482b9-b3d9-e52a-a80c-134bc99d50fc@gentoo.org`
In Reply to:	Re: [gentoo-portage-dev] [PATCH] repos.conf: add bool sync-openpgp-key-refresh option (bug 661518) by Brian Dolbec

1

On 6/12/20 6:48 PM, Brian Dolbec wrote:

2

> On Fri, 12 Jun 2020 16:51:51 -0700

3

> Zac Medico <zmedico@g.o> wrote:

4

>

5

>> Add a sync-openpgp-key-refresh option that makes it possible to

6

>> disable key refresh, which may be useful in cases when it is not

7

>> possible to refresh keys.

8

>>

9

>> Key refresh is enabled by default, and if it is disabled then

10

>> the SyncBase._refresh_keys method will output an ewarn message

11

>> like this when the --quiet option is not enabled:

12

>>

13

>>  * Key refresh is disabled via a repos.conf sync-openpgp-key-refresh

14

>>  * setting, and this is a security vulnerability because it prevents

15

>>  * detection of revoked keys!

16

>>

17

>> Bug: https://bugs.gentoo.org/661518

18

>> Signed-off-by: Zac Medico <zmedico@g.o>

19

>> ---

20

>>  lib/portage/repository/config.py | 10 +++++++++-

21

>>  lib/portage/sync/syncbase.py     |  9 ++++++++-

22

>>  man/portage.5                    |  9 ++++++++-

23

>>  3 files changed, 25 insertions(+), 3 deletions(-)

24

>>

25

>> diff --git a/lib/portage/repository/config.py

26

>> b/lib/portage/repository/config.py index 50ab18026..6155c130a 100644

27

>> --- a/lib/portage/repository/config.py

28

>> +++ b/lib/portage/repository/config.py

29

>> @@ -1,4 +1,4 @@

30

>> -# Copyright 2010-2019 Gentoo Authors

31

>> +# Copyright 2010-2020 Gentoo Authors

32

>>  # Distributed under the terms of the GNU General Public License v2

33

>>

34

>>  from __future__ import unicode_literals

35

>> @@ -113,6 +113,7 @@ class RepoConfig(object):

36

>>  		'sync_hooks_only_on_change',

37

>>  		'sync_openpgp_keyserver',

38

>>  		'sync_openpgp_key_path',

39

>> +		'sync_openpgp_key_refresh',

40

>>  		'sync_openpgp_key_refresh_retry_count',

41

>>  		'sync_openpgp_key_refresh_retry_delay_exp_base',

42

>>  		'sync_openpgp_key_refresh_retry_delay_max',

43

>> @@ -233,6 +234,9 @@ class RepoConfig(object):

44

>>  		self.sync_openpgp_key_path = repo_opts.get(

45

>>  			'sync-openpgp-key-path', None)

46

>>

47

>> +		self.sync_openpgp_key_refresh = repo_opts.get(

48

>> +			'sync-openpgp-key-refresh', 'true').lower()

49

>> in ('true', 'yes') +

50

>>  		for k in ('sync_openpgp_key_refresh_retry_count',

51

>>  			'sync_openpgp_key_refresh_retry_delay_exp_base',

52

>>  			'sync_openpgp_key_refresh_retry_delay_max',

53

>> @@ -497,6 +501,8 @@ class RepoConfig(object):

54

>>  			repo_msg.append(indent + "location: " +

55

>> self.location) if not self.strict_misc_digests:

56

>>  			repo_msg.append(indent +

57

>> "strict-misc-digests: false")

58

>> +		if not self.sync_openpgp_key_refresh:

59

>> +			repo_msg.append(indent +

60

>> "sync-openpgp-key-refresh: no") if self.sync_type:

61

>>  			repo_msg.append(indent + "sync-type: " +

62

>> self.sync_type) if self.sync_umask:

63

>> @@ -609,6 +615,7 @@ class RepoConfigLoader(object):

64

>>  							'sync_hooks_only_on_change',

65

>>  							'sync_openpgp_keyserver',

66

>>  							'sync_openpgp_key_path',

67

>> +

68

>> 'sync_openpgp_key_refresh', 'sync_openpgp_key_refresh_retry_count',

69

>>  							'sync_openpgp_key_refresh_retry_delay_exp_base',

70

>>  							'sync_openpgp_key_refresh_retry_delay_max',

71

>> @@ -1047,6 +1054,7 @@ class RepoConfigLoader(object):

72

>>  		bool_keys = (

73

>>  			"strict_misc_digests",

74

>>  			"sync_allow_hardlinks",

75

>> +			"sync_openpgp_key_refresh",

76

>>  			"sync_rcu",

77

>>  		)

78

>>  		str_or_int_keys = (

79

>> diff --git a/lib/portage/sync/syncbase.py

80

>> b/lib/portage/sync/syncbase.py index 46644d68e..74818a420 100644

81

>> --- a/lib/portage/sync/syncbase.py

82

>> +++ b/lib/portage/sync/syncbase.py

83

>> @@ -1,4 +1,4 @@

84

>> -# Copyright 2014-2018 Gentoo Foundation

85

>> +# Copyright 2014-2020 Gentoo Authors

86

>>  # Distributed under the terms of the GNU General Public License v2

87

>>

88

>>  '''

89

>> @@ -252,6 +252,13 @@ class SyncBase(object):

90

>>  		@type openpgp_env: gemato.openpgp.OpenPGPEnvironment

91

>>  		"""

92

>>  		out = portage.output.EOutput(quiet=('--quiet' in

93

>> self.options['emerge_config'].opts)) +

94

>> +		if not self.repo.sync_openpgp_key_refresh:

95

>> +			out.ewarn('Key refresh is disabled via a

96

>> repos.conf sync-openpgp-key-refresh')

97

>> +			out.ewarn('setting, and this is a security

98

>> vulnerability because it prevents')

99

>> +			out.ewarn('detection of revoked keys!')

100

>> +			return

101

>> +

102

>>  		out.ebegin('Refreshing keys via WKD')

103

>>  		if openpgp_env.refresh_keys_wkd():

104

>>  			out.eend(0)

105

>> diff --git a/man/portage.5 b/man/portage.5

106

>> index 36c871123..136ebaafe 100644

107

>> --- a/man/portage.5

108

>> +++ b/man/portage.5

109

>> @@ -1,4 +1,4 @@

110

>> -.TH "PORTAGE" "5" "Apr 2019" "Portage VERSION" "Portage"

111

>> +.TH "PORTAGE" "5" "Jun 2020" "Portage VERSION" "Portage"

112

>>  .SH NAME

113

>>  portage \- the heart of Gentoo

114

>>  .SH "DESCRIPTION"

115

>> @@ -1124,6 +1124,13 @@ Path to the OpenPGP key(ring) used to verify

116

>> received repository. Used only for protocols supporting cryptographic

117

>> verification, provided that the respective verification option is

118

>> enabled. If unset, the user's keyring is used.

119

>> +.TP

120

>> +.B sync\-openpgp\-key\-refresh = yes

121

>> +Enable OpenPGP key(ring) refresh. This option is enabled by default.

122

>> +

123

>> +\fBWarning\fR: It is a security vulnerability to disable this option

124

>> +because this will prevent detection of revoked keys!

125

>> +

126

>>  .TP

127

>>  .B sync\-openpgp\-key\-refresh\-retry\-count = 40

128

>>  Maximum number of times to retry key refresh if it fails. Between

129

>> each

130

>

131

>

132

> Is this something we can override with emaint sync in order to refresh

133

> the keys on demand?   This would be the same as emaint sync ability to

134

> ignore the sync = no for manaual syncing on demand only.

135

>

136

> Possibly add an option to emaint sync that causes a refresh of the key.

137

138

These are questions for Rick since I never plan to use this feature myself.

139

--

140

Thanks,

141

Zac

Gentoo Archives: gentoo-portage-dev

Attachments

1	On 6/12/20 6:48 PM, Brian Dolbec wrote:
2	> On Fri, 12 Jun 2020 16:51:51 -0700
3	> Zac Medico <zmedico@g.o> wrote:
4	>
5	>> Add a sync-openpgp-key-refresh option that makes it possible to
6	>> disable key refresh, which may be useful in cases when it is not
7	>> possible to refresh keys.
8	>>
9	>> Key refresh is enabled by default, and if it is disabled then
10	>> the SyncBase._refresh_keys method will output an ewarn message
11	>> like this when the --quiet option is not enabled:
12	>>
13	>> * Key refresh is disabled via a repos.conf sync-openpgp-key-refresh
14	>> * setting, and this is a security vulnerability because it prevents
15	>> * detection of revoked keys!
16	>>
17	>> Bug: https://bugs.gentoo.org/661518
18	>> Signed-off-by: Zac Medico <zmedico@g.o>
19	>> ---
20	>> lib/portage/repository/config.py \| 10 +++++++++-
21	>> lib/portage/sync/syncbase.py \| 9 ++++++++-
22	>> man/portage.5 \| 9 ++++++++-
23	>> 3 files changed, 25 insertions(+), 3 deletions(-)
24	>>
25	>> diff --git a/lib/portage/repository/config.py
26	>> b/lib/portage/repository/config.py index 50ab18026..6155c130a 100644
27	>> --- a/lib/portage/repository/config.py
28	>> +++ b/lib/portage/repository/config.py
29	>> @@ -1,4 +1,4 @@
30	>> -# Copyright 2010-2019 Gentoo Authors
31	>> +# Copyright 2010-2020 Gentoo Authors
32	>> # Distributed under the terms of the GNU General Public License v2
33	>>
34	>> from __future__ import unicode_literals
35	>> @@ -113,6 +113,7 @@ class RepoConfig(object):
36	>> 'sync_hooks_only_on_change',
37	>> 'sync_openpgp_keyserver',
38	>> 'sync_openpgp_key_path',
39	>> + 'sync_openpgp_key_refresh',
40	>> 'sync_openpgp_key_refresh_retry_count',
41	>> 'sync_openpgp_key_refresh_retry_delay_exp_base',
42	>> 'sync_openpgp_key_refresh_retry_delay_max',
43	>> @@ -233,6 +234,9 @@ class RepoConfig(object):
44	>> self.sync_openpgp_key_path = repo_opts.get(
45	>> 'sync-openpgp-key-path', None)
46	>>
47	>> + self.sync_openpgp_key_refresh = repo_opts.get(
48	>> + 'sync-openpgp-key-refresh', 'true').lower()
49	>> in ('true', 'yes') +
50	>> for k in ('sync_openpgp_key_refresh_retry_count',
51	>> 'sync_openpgp_key_refresh_retry_delay_exp_base',
52	>> 'sync_openpgp_key_refresh_retry_delay_max',
53	>> @@ -497,6 +501,8 @@ class RepoConfig(object):
54	>> repo_msg.append(indent + "location: " +
55	>> self.location) if not self.strict_misc_digests:
56	>> repo_msg.append(indent +
57	>> "strict-misc-digests: false")
58	>> + if not self.sync_openpgp_key_refresh:
59	>> + repo_msg.append(indent +
60	>> "sync-openpgp-key-refresh: no") if self.sync_type:
61	>> repo_msg.append(indent + "sync-type: " +
62	>> self.sync_type) if self.sync_umask:
63	>> @@ -609,6 +615,7 @@ class RepoConfigLoader(object):
64	>> 'sync_hooks_only_on_change',
65	>> 'sync_openpgp_keyserver',
66	>> 'sync_openpgp_key_path',
67	>> +
68	>> 'sync_openpgp_key_refresh', 'sync_openpgp_key_refresh_retry_count',
69	>> 'sync_openpgp_key_refresh_retry_delay_exp_base',
70	>> 'sync_openpgp_key_refresh_retry_delay_max',
71	>> @@ -1047,6 +1054,7 @@ class RepoConfigLoader(object):
72	>> bool_keys = (
73	>> "strict_misc_digests",
74	>> "sync_allow_hardlinks",
75	>> + "sync_openpgp_key_refresh",
76	>> "sync_rcu",
77	>> )
78	>> str_or_int_keys = (
79	>> diff --git a/lib/portage/sync/syncbase.py
80	>> b/lib/portage/sync/syncbase.py index 46644d68e..74818a420 100644
81	>> --- a/lib/portage/sync/syncbase.py
82	>> +++ b/lib/portage/sync/syncbase.py
83	>> @@ -1,4 +1,4 @@
84	>> -# Copyright 2014-2018 Gentoo Foundation
85	>> +# Copyright 2014-2020 Gentoo Authors
86	>> # Distributed under the terms of the GNU General Public License v2
87	>>
88	>> '''
89	>> @@ -252,6 +252,13 @@ class SyncBase(object):
90	>> @type openpgp_env: gemato.openpgp.OpenPGPEnvironment
91	>> """
92	>> out = portage.output.EOutput(quiet=('--quiet' in
93	>> self.options['emerge_config'].opts)) +
94	>> + if not self.repo.sync_openpgp_key_refresh:
95	>> + out.ewarn('Key refresh is disabled via a
96	>> repos.conf sync-openpgp-key-refresh')
97	>> + out.ewarn('setting, and this is a security
98	>> vulnerability because it prevents')
99	>> + out.ewarn('detection of revoked keys!')
100	>> + return
101	>> +
102	>> out.ebegin('Refreshing keys via WKD')
103	>> if openpgp_env.refresh_keys_wkd():
104	>> out.eend(0)
105	>> diff --git a/man/portage.5 b/man/portage.5
106	>> index 36c871123..136ebaafe 100644
107	>> --- a/man/portage.5
108	>> +++ b/man/portage.5
109	>> @@ -1,4 +1,4 @@
110	>> -.TH "PORTAGE" "5" "Apr 2019" "Portage VERSION" "Portage"
111	>> +.TH "PORTAGE" "5" "Jun 2020" "Portage VERSION" "Portage"
112	>> .SH NAME
113	>> portage \- the heart of Gentoo
114	>> .SH "DESCRIPTION"
115	>> @@ -1124,6 +1124,13 @@ Path to the OpenPGP key(ring) used to verify
116	>> received repository. Used only for protocols supporting cryptographic
117	>> verification, provided that the respective verification option is
118	>> enabled. If unset, the user's keyring is used.
119	>> +.TP
120	>> +.B sync\-openpgp\-key\-refresh = yes
121	>> +Enable OpenPGP key(ring) refresh. This option is enabled by default.
122	>> +
123	>> +\fBWarning\fR: It is a security vulnerability to disable this option
124	>> +because this will prevent detection of revoked keys!
125	>> +
126	>> .TP
127	>> .B sync\-openpgp\-key\-refresh\-retry\-count = 40
128	>> Maximum number of times to retry key refresh if it fails. Between
129	>> each
130	>
131	>
132	> Is this something we can override with emaint sync in order to refresh
133	> the keys on demand? This would be the same as emaint sync ability to
134	> ignore the sync = no for manaual syncing on demand only.
135	>
136	> Possibly add an option to emaint sync that causes a refresh of the key.
137
138	These are questions for Rick since I never plan to use this feature myself.
139	--
140	Thanks,
141	Zac