1 |
My use case may be slightly different to others who use git or webrsync. I've |
2 |
always used rsync to keep portage up to date. Since the portage gentoo keys |
3 |
went out of sync a couple of days ago I ended up like other gentoo users with |
4 |
a 'chicken and egg' situation. The rsync process would fail verification |
5 |
because the public key was not available without app-crypt/openpgp-keys- |
6 |
gentoo-release first being updated to the latest 20180703 version. |
7 |
|
8 |
A poster on another thread has provided advice on using gemato to verify the |
9 |
gentoo keys, but I don't know or understand the process gemato follows to just |
10 |
type incantations on a keyboard and hope for the best. |
11 |
|
12 |
The process I ended up using involved: |
13 |
|
14 |
- removing all stale portage files; |
15 |
- refreshing the gentoo keys manually; |
16 |
- downloading the latest portage snapshot md5sum and its gpg signature; |
17 |
- verifying the snapshot with gpg and using it to install the latest app- |
18 |
crypt/openpgp-keys-gentoo-release. |
19 |
|
20 |
You may find all this too radical for your needs, but I post it here in case |
21 |
others benefit from it. |
22 |
|
23 |
|
24 |
1. Fetch the gentoo keys on your user keyring: |
25 |
|
26 |
From Gentoo Release media signatures web page[1] I can see the fingerprint of |
27 |
the Gentoo Portage Snapshot Signing Key is 0xDB6B8C1F96D8BF6D. |
28 |
|
29 |
I assumed here if this key had gone bad then Release Engineering would have |
30 |
replaced it by now. |
31 |
|
32 |
$ gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0xDB6B8C1F96D8BF6D |
33 |
|
34 |
This downloads all keys and signatures. |
35 |
|
36 |
$ gpg --check-signatures 0xDB6B8C1F96D8BF6D |
37 |
|
38 |
The output shows the signature on the keyserver is still valid and has not |
39 |
been revoked. |
40 |
|
41 |
|
42 |
2. Remove stale portage and download the latest portage snapshot from your |
43 |
local mirror[2]: |
44 |
|
45 |
# cd /usr |
46 |
# rm -Rf portage/* |
47 |
# wget <ftp://your_local_mirror.com>/snapshots/portage-latest.tar.xz* |
48 |
|
49 |
|
50 |
3. Verify the snapshot was signed by the gentoo keys: |
51 |
|
52 |
$ cd /usr |
53 |
$ gpg --verify portage-latest.tar.xz.gpgsig portage-latest.tar.xz |
54 |
gpg: enabled debug flags: memstat |
55 |
gpg: Signature made Thu Jul 5 01:51:21 2018 BST |
56 |
gpg: using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 |
57 |
gpg: using subkey EC590EEAC9189250 instead of primary key DB6B8C1F96D8BF6D |
58 |
gpg: using classic trust model |
59 |
gpg: Good signature from "Gentoo ebuild repository signing key (Automated |
60 |
Signing Key) <infrastructure@g.o>" [unknown] |
61 |
gpg: aka "Gentoo Portage Snapshot Signing Key (Automated |
62 |
Signing Key)" [unknown] |
63 |
gpg: WARNING: This key is not certified with a trusted signature! |
64 |
gpg: There is no indication that the signature belongs to the owner. |
65 |
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F 44AC DB6B 8C1F 96D8 BF6D |
66 |
Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F DF1C EC59 0EEA C918 9250 |
67 |
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096 |
68 |
gpg: keydb: handles=2 locks=0 parse=0 get=3 |
69 |
gpg: build=0 update=0 insert=0 delete=0 |
70 |
gpg: reset=1 found=3 not=0 cache=0 not=0 |
71 |
gpg: kid_not_found_cache: count=0 peak=0 flushes=0 |
72 |
gpg: sig_cache: total=18 cached=18 good=18 bad=0 |
73 |
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 |
74 |
outmix=0 getlvl1=0/0 getlvl2=0/0 |
75 |
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0 |
76 |
gpg: secmem usage: 0/65536 bytes in 0 blocks |
77 |
|
78 |
OK, the "Good signature" message above and the correct fingerprint is an |
79 |
encouraging indication. Had I selected to trust this key the signature would |
80 |
be shown as trusted. |
81 |
|
82 |
|
83 |
4. Untar the snapshot into portage/ |
84 |
|
85 |
# tar -xvf portage-latest.tar.xz |
86 |
|
87 |
|
88 |
5. Install the latest app-crypt/openpgp-keys-gentoo-release-20180703 |
89 |
|
90 |
# emerge -1aDv app-crypt/openpgp-keys-gentoo-release |
91 |
|
92 |
|
93 |
6. Remove uneeded files: |
94 |
|
95 |
# rm -Rf portage-latest.tar.xz* |
96 |
|
97 |
|
98 |
7. Sync your portage as usual, in my case: |
99 |
|
100 |
# eix-sync |
101 |
|
102 |
This time the verification process completes without any complains about |
103 |
public keys missing: |
104 |
|
105 |
.. |
106 |
Number of files: 161,932 (reg: 134,484, dir: 27,448) |
107 |
Number of created files: 25 (reg: 24, dir: 1) |
108 |
Number of deleted files: 13 (reg: 13) |
109 |
Number of regular files transferred: 118 |
110 |
Total file size: 218.65M bytes |
111 |
Total transferred file size: 2.67M bytes |
112 |
Literal data: 2.67M bytes |
113 |
Matched data: 0 bytes |
114 |
File list size: 3.41M |
115 |
File list generation time: 0.001 seconds |
116 |
File list transfer time: 0.000 seconds |
117 |
Total bytes sent: 32.27K |
118 |
Total bytes received: 5.88M |
119 |
|
120 |
sent 32.27K bytes received 5.88M bytes 358.23K bytes/sec |
121 |
total size is 218.65M speedup is 36.99 |
122 |
* Manifest timestamp: 2018-07-05 15:38:30 UTC |
123 |
* Manifest timestamp: 2018-07-05 15:38:30 UTC |
124 |
* Valid OpenPGP signature found: |
125 |
* - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D |
126 |
total size is 218.65M speedup is 36.99 |
127 |
* Manifest timestamp: 2018-07-05 15:38:30 UTC |
128 |
* Valid OpenPGP signature found: |
129 |
* Valid OpenPGP signature found: |
130 |
* - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D |
131 |
* - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250 |
132 |
* - timestamp: 2018-07-05 15:38:30 UTC |
133 |
* - timestamp: 2018-07-05 15:38:30 UTC |
134 |
* Verifying /usr/portage ... [ ok ] |
135 |
=== Sync completed for gentoo |
136 |
q: Updating ebuild cache in /usr/portage ... |
137 |
q: Updating ebuild cache in /usr/portage ... |
138 |
q: Finished 35632 entries in 0.330802 seconds |
139 |
|
140 |
Action: sync for repo: gentoo, returned code = 0 |
141 |
|
142 |
|
143 |
Finally I was able to update my system(s) with a known good portage state. |
144 |
|
145 |
PS. In the mirror I used I found .md5sum as well as .umd5sum files, containing |
146 |
different hashes. I have not seen .umd5sum files before, any idea what type |
147 |
of hashes these are? |
148 |
|
149 |
PPS. Given md5 collisions are known and md5 is considered completely broken, |
150 |
why are we still using it in 2018? |
151 |
|
152 |
|
153 |
[1] https://www.gentoo.org/downloads/signatures/ |
154 |
[2] https://www.gentoo.org/downloads/mirrors/ |
155 |
|
156 |
-- |
157 |
Regards, |
158 |
Mick |