1 |
2018-07-05 1:25 GMT+03:00 Mick <michaelkintzios@×××××.com>: |
2 |
> On Wednesday, 4 July 2018 19:32:33 BST gevisz wrote: |
3 |
>> 2018-07-04 21:01 GMT+03:00 Mick <michaelkintzios@×××××.com>: |
4 |
>> > On Wednesday, 4 July 2018 18:57:56 BST gevisz wrote: |
5 |
>> >> 2018-07-04 11:55 GMT+03:00 Alex Thorne <lexiconifernelius@×××××.com>: |
6 |
>> >> >> I use rsync and get the following for more than a day now; |
7 |
>> >> >> |
8 |
>> >> >> !!! Manifest verification failed: |
9 |
>> >> >> OpenPGP verification failed: |
10 |
>> >> >> gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC |
11 |
>> >> >> gpg: using RSA key |
12 |
>> >> >> E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 |
13 |
>> >> >> gpg: Can't check signature: No public key |
14 |
>> >> > |
15 |
>> >> > I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no |
16 |
>> >> > longer installed and `/var/lib/gentoo/gkeys` is missing. I have no idea |
17 |
>> >> > how this happened. Perhaps it somehow got into `emerge --depclean` |
18 |
>> >> > and I didn't catch it. |
19 |
>> >> |
20 |
>> >> No. Gentoo maintainers just overlooked that all Gentoo signing keys |
21 |
>> >> expired on July 1, and added new openpgp-keys-gentoo into portage |
22 |
>> >> tree only on July 2. |
23 |
>> >> |
24 |
>> >> So, since July 1, rsync cannot verify any new portage tree and cannot |
25 |
>> >> download app-crypt/openpgp-keys-gentoo-release-20180702 |
26 |
>> >> |
27 |
>> >> It was discovered in the thread |
28 |
>> >> "All Gentoo signing key expired and no way to fix it" |
29 |
>> > |
30 |
>> > Is there a documented manual workaround we could follow at present, |
31 |
>> > irrespective of our sync'ing mechanism of choice? |
32 |
|
33 |
It seems that everything is explained in |
34 |
https://wiki.gentoo.org/wiki/Portage_Security |
35 |
(This link was first provided in this thread by methylherd.) |
36 |
|
37 |
>> For me, it somehow worked by manually refreshing the Gentoo signing keys by |
38 |
>> executing the following two commands: |
39 |
>> # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys |
40 |
>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys |
41 |
>> 0xDB6B8C1F96D8BF6D in different order and sourcing /etc/profile |
42 |
>> |
43 |
>> But, please, note that I use emerge-webrsync to update the portage tree. |
44 |
> |
45 |
> Thanks gevisz, the first line to refresh keys fails, because in /var/lib/ |
46 |
> gentoo/ I only have a news/ subdirectory. |
47 |
|
48 |
Interestingly, it was the second line that seemed to fail in my case. |
49 |
(I was in a hurry and executed it so many times, so that I cannot |
50 |
say if for sure.) |
51 |
|
52 |
But, as it has already been pointed out by Bill Kenworthy and |
53 |
explained in https://wiki.gentoo.org/wiki/Portage_Security , |
54 |
the internal mechanisms for checking Gentoo signatures |
55 |
are different between git, rsync and webrsync. |