[gentoo-user] How to recover gentoo keys and verify portage following recent update debacle - gentoo-user

From:	Mick <michaelkintzios@×××××.com>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] How to recover gentoo keys and verify portage following recent update debacle
Date:	Thu, 05 Jul 2018 17:53:45
Message-Id:	`2954509.GMxTUrvBP5@dell_xps`

1

My use case may be slightly different to others who use git or webrsync.  I've 

2

always used rsync to keep portage up to date.  Since the portage gentoo keys 

3

went out of sync a couple of days ago I ended up like other gentoo users with 

4

a 'chicken and egg' situation.  The rsync process would fail verification 

5

because the public key was not available without app-crypt/openpgp-keys-

6

gentoo-release first being updated to the latest 20180703 version.

7

8

A poster on another thread has provided advice on using gemato to verify the 

9

gentoo keys, but I don't know or understand the process gemato follows to just 

10

type incantations on a keyboard and hope for the best.

11

12

The process I ended up using involved:

13

14

- removing all stale portage files;

15

- refreshing the gentoo keys manually;

16

- downloading the latest portage snapshot md5sum and its gpg signature;

17

- verifying the snapshot with gpg and using it to install the latest app-

18

crypt/openpgp-keys-gentoo-release.

19

20

You may find all this too radical for your needs, but I post it here in case 

21

others benefit from it.

22

23

24

1. Fetch the gentoo keys on your user keyring:

25

26

From Gentoo Release media signatures web page[1] I can see the fingerprint of 

27

the Gentoo Portage Snapshot Signing Key is 0xDB6B8C1F96D8BF6D.

28

29

I assumed here if this key had gone bad then Release Engineering would have 

30

replaced it by now.

31

32

$ gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0xDB6B8C1F96D8BF6D

33

34

This downloads all keys and signatures.

35

36

$ gpg --check-signatures 0xDB6B8C1F96D8BF6D

37

38

The output shows the signature on the keyserver is still valid and has not 

39

been revoked.

40

41

42

2. Remove stale portage and download the latest portage snapshot from your 

43

local mirror[2]:

44

45

# cd /usr

46

# rm -Rf portage/*

47

# wget <ftp://your_local_mirror.com>/snapshots/portage-latest.tar.xz*

48

49

50

3. Verify the snapshot was signed by the gentoo keys:

51

52

$ cd /usr

53

$ gpg --verify portage-latest.tar.xz.gpgsig portage-latest.tar.xz

54

gpg: enabled debug flags: memstat

55

gpg: Signature made Thu Jul  5 01:51:21 2018 BST

56

gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250

57

gpg: using subkey EC590EEAC9189250 instead of primary key DB6B8C1F96D8BF6D

58

gpg: using classic trust model

59

gpg: Good signature from "Gentoo ebuild repository signing key (Automated 

60

Signing Key) <infrastructure@g.o>" [unknown]

61

gpg:                 aka "Gentoo Portage Snapshot Signing Key (Automated 

62

Signing Key)" [unknown]

63

gpg: WARNING: This key is not certified with a trusted signature!

64

gpg:          There is no indication that the signature belongs to the owner.

65

Primary key fingerprint: DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D

66

     Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F  DF1C EC59 0EEA C918 9250

67

gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096

68

gpg: keydb: handles=2 locks=0 parse=0 get=3

69

gpg:        build=0 update=0 insert=0 delete=0

70

gpg:        reset=1 found=3 not=0 cache=0 not=0

71

gpg: kid_not_found_cache: count=0 peak=0 flushes=0

72

gpg: sig_cache: total=18 cached=18 good=18 bad=0

73

gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0

74

              outmix=0 getlvl1=0/0 getlvl2=0/0

75

gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0

76

gpg: secmem usage: 0/65536 bytes in 0 blocks

77

78

OK, the "Good signature" message above and the correct fingerprint is an 

79

encouraging indication.  Had I selected to trust this key the signature would 

80

be shown as trusted.

81

82

83

4. Untar the snapshot into portage/

84

85

# tar -xvf portage-latest.tar.xz

86

87

88

5. Install the latest app-crypt/openpgp-keys-gentoo-release-20180703

89

90

# emerge -1aDv app-crypt/openpgp-keys-gentoo-release

91

92

93

6. Remove uneeded files:

94

95

# rm -Rf portage-latest.tar.xz*

96

97

98

7. Sync your portage as usual, in my case:

99

100

# eix-sync

101

102

This time the verification process completes without any complains about 

103

public keys missing:

104

105

..

106

Number of files: 161,932 (reg: 134,484, dir: 27,448)

107

Number of created files: 25 (reg: 24, dir: 1)

108

Number of deleted files: 13 (reg: 13)

109

Number of regular files transferred: 118

110

Total file size: 218.65M bytes

111

Total transferred file size: 2.67M bytes

112

Literal data: 2.67M bytes

113

Matched data: 0 bytes

114

File list size: 3.41M

115

File list generation time: 0.001 seconds

116

File list transfer time: 0.000 seconds

117

Total bytes sent: 32.27K

118

Total bytes received: 5.88M

119

120

sent 32.27K bytes  received 5.88M bytes  358.23K bytes/sec

121

total size is 218.65M  speedup is 36.99

122

 * Manifest timestamp: 2018-07-05 15:38:30 UTC

123

 * Manifest timestamp: 2018-07-05 15:38:30 UTC

124

 * Valid OpenPGP signature found:

125

 * - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D

126

total size is 218.65M  speedup is 36.99

127

 * Manifest timestamp: 2018-07-05 15:38:30 UTC

128

 * Valid OpenPGP signature found:

129

 * Valid OpenPGP signature found:

130

 * - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D

131

 * - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250

132

 * - timestamp: 2018-07-05 15:38:30 UTC

133

 * - timestamp: 2018-07-05 15:38:30 UTC

134

 * Verifying /usr/portage ...                                    [ ok ]

135

=== Sync completed for gentoo

136

q: Updating ebuild cache in /usr/portage ...

137

q: Updating ebuild cache in /usr/portage ...

138

q: Finished 35632 entries in 0.330802 seconds

139

140

Action: sync for repo: gentoo, returned code = 0

141

142

143

Finally I was able to update my system(s) with a known good portage state.

144

145

PS. In the mirror I used I found .md5sum as well as .umd5sum files, containing 

146

different hashes.  I have not seen .umd5sum files before, any idea what type 

147

of hashes these are?

148

149

PPS. Given md5 collisions are known and md5 is considered completely broken, 

150

why are we still using it in 2018?

151

152

153

[1] https://www.gentoo.org/downloads/signatures/

154

[2] https://www.gentoo.org/downloads/mirrors/

155

156

--

157

Regards,

158

Mick

Gentoo Archives: gentoo-user

Attachments

1	My use case may be slightly different to others who use git or webrsync. I've
2	always used rsync to keep portage up to date. Since the portage gentoo keys
3	went out of sync a couple of days ago I ended up like other gentoo users with
4	a 'chicken and egg' situation. The rsync process would fail verification
5	because the public key was not available without app-crypt/openpgp-keys-
6	gentoo-release first being updated to the latest 20180703 version.
7
8	A poster on another thread has provided advice on using gemato to verify the
9	gentoo keys, but I don't know or understand the process gemato follows to just
10	type incantations on a keyboard and hope for the best.
11
12	The process I ended up using involved:
13
14	- removing all stale portage files;
15	- refreshing the gentoo keys manually;
16	- downloading the latest portage snapshot md5sum and its gpg signature;
17	- verifying the snapshot with gpg and using it to install the latest app-
18	crypt/openpgp-keys-gentoo-release.
19
20	You may find all this too radical for your needs, but I post it here in case
21	others benefit from it.
22
23
24	1. Fetch the gentoo keys on your user keyring:
25
26	From Gentoo Release media signatures web page[1] I can see the fingerprint of
27	the Gentoo Portage Snapshot Signing Key is 0xDB6B8C1F96D8BF6D.
28
29	I assumed here if this key had gone bad then Release Engineering would have
30	replaced it by now.
31
32	$ gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0xDB6B8C1F96D8BF6D
33
34	This downloads all keys and signatures.
35
36	$ gpg --check-signatures 0xDB6B8C1F96D8BF6D
37
38	The output shows the signature on the keyserver is still valid and has not
39	been revoked.
40
41
42	2. Remove stale portage and download the latest portage snapshot from your
43	local mirror[2]:
44
45	# cd /usr
46	# rm -Rf portage/*
47	# wget <ftp://your_local_mirror.com>/snapshots/portage-latest.tar.xz*
48
49
50	3. Verify the snapshot was signed by the gentoo keys:
51
52	$ cd /usr
53	$ gpg --verify portage-latest.tar.xz.gpgsig portage-latest.tar.xz
54	gpg: enabled debug flags: memstat
55	gpg: Signature made Thu Jul 5 01:51:21 2018 BST
56	gpg: using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
57	gpg: using subkey EC590EEAC9189250 instead of primary key DB6B8C1F96D8BF6D
58	gpg: using classic trust model
59	gpg: Good signature from "Gentoo ebuild repository signing key (Automated
60	Signing Key) <infrastructure@g.o>" [unknown]
61	gpg: aka "Gentoo Portage Snapshot Signing Key (Automated
62	Signing Key)" [unknown]
63	gpg: WARNING: This key is not certified with a trusted signature!
64	gpg: There is no indication that the signature belongs to the owner.
65	Primary key fingerprint: DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D
66	Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F DF1C EC59 0EEA C918 9250
67	gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096
68	gpg: keydb: handles=2 locks=0 parse=0 get=3
69	gpg: build=0 update=0 insert=0 delete=0
70	gpg: reset=1 found=3 not=0 cache=0 not=0
71	gpg: kid_not_found_cache: count=0 peak=0 flushes=0
72	gpg: sig_cache: total=18 cached=18 good=18 bad=0
73	gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
74	outmix=0 getlvl1=0/0 getlvl2=0/0
75	gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
76	gpg: secmem usage: 0/65536 bytes in 0 blocks
77
78	OK, the "Good signature" message above and the correct fingerprint is an
79	encouraging indication. Had I selected to trust this key the signature would
80	be shown as trusted.
81
82
83	4. Untar the snapshot into portage/
84
85	# tar -xvf portage-latest.tar.xz
86
87
88	5. Install the latest app-crypt/openpgp-keys-gentoo-release-20180703
89
90	# emerge -1aDv app-crypt/openpgp-keys-gentoo-release
91
92
93	6. Remove uneeded files:
94
95	# rm -Rf portage-latest.tar.xz*
96
97
98	7. Sync your portage as usual, in my case:
99
100	# eix-sync
101
102	This time the verification process completes without any complains about
103	public keys missing:
104
105	..
106	Number of files: 161,932 (reg: 134,484, dir: 27,448)
107	Number of created files: 25 (reg: 24, dir: 1)
108	Number of deleted files: 13 (reg: 13)
109	Number of regular files transferred: 118
110	Total file size: 218.65M bytes
111	Total transferred file size: 2.67M bytes
112	Literal data: 2.67M bytes
113	Matched data: 0 bytes
114	File list size: 3.41M
115	File list generation time: 0.001 seconds
116	File list transfer time: 0.000 seconds
117	Total bytes sent: 32.27K
118	Total bytes received: 5.88M
119
120	sent 32.27K bytes received 5.88M bytes 358.23K bytes/sec
121	total size is 218.65M speedup is 36.99
122	* Manifest timestamp: 2018-07-05 15:38:30 UTC
123	* Manifest timestamp: 2018-07-05 15:38:30 UTC
124	* Valid OpenPGP signature found:
125	* - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
126	total size is 218.65M speedup is 36.99
127	* Manifest timestamp: 2018-07-05 15:38:30 UTC
128	* Valid OpenPGP signature found:
129	* Valid OpenPGP signature found:
130	* - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
131	* - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
132	* - timestamp: 2018-07-05 15:38:30 UTC
133	* - timestamp: 2018-07-05 15:38:30 UTC
134	* Verifying /usr/portage ... [ ok ]
135	=== Sync completed for gentoo
136	q: Updating ebuild cache in /usr/portage ...
137	q: Updating ebuild cache in /usr/portage ...
138	q: Finished 35632 entries in 0.330802 seconds
139
140	Action: sync for repo: gentoo, returned code = 0
141
142
143	Finally I was able to update my system(s) with a known good portage state.
144
145	PS. In the mirror I used I found .md5sum as well as .umd5sum files, containing
146	different hashes. I have not seen .umd5sum files before, any idea what type
147	of hashes these are?
148
149	PPS. Given md5 collisions are known and md5 is considered completely broken,
150	why are we still using it in 2018?
151
152
153	[1] https://www.gentoo.org/downloads/signatures/
154	[2] https://www.gentoo.org/downloads/mirrors/
155
156	--
157	Regards,
158	Mick