1 |
On venerdì 19 luglio 2019 18:21:46 CEST Ian Zimmerman wrote: |
2 |
> On 2019-07-18 19:42, Stefano Crocco wrote: |
3 |
> > Hello to everyone, |
4 |
> > since yesterday emerge --sync fails because it can't refresh keys. The |
5 |
> > messages I get are: |
6 |
> > |
7 |
> > Syncing repository 'gentoo' into '/usr/portage'... |
8 |
> > |
9 |
> > * Using keys from /usr/share/openpgp-keys/gentoo-release.asc |
10 |
> > * Refreshing keys via WKD ... [ !! ] |
11 |
> > * Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP |
12 |
> > keyring |
13 |
> > |
14 |
> > refresh failed: |
15 |
> > gpg: refreshing 4 keys from hkps://keys.gentoo.org |
16 |
> > gpg: keyserver refresh failed: No keyserver available |
17 |
> > |
18 |
> > OpenPGP keyring refresh failed: |
19 |
> > gpg: refreshing 4 keys from hkps://keys.gentoo.org |
20 |
> > gpg: keyserver refresh failed: No keyserver available |
21 |
> |
22 |
> Perhaps something to do with this? |
23 |
> |
24 |
> https://www.bleepingcomputer.com/news/security/public-certificate-poisoning-> |
25 |
can-break-some-openpgp-implementations/ |
26 |
> |
27 |
> Aside: |
28 |
> I have already switched my personal gpg configuration to use the new |
29 |
> isolated keyserver. |
30 |
|
31 |
Thanks for the answer. I'd heard of this attack and read this [1] article on |
32 |
gentoo.org. From what I understand, it said that in theory there shouldn't be |
33 |
problems when syncing because "The gemato tool used to verify the Gentoo |
34 |
ebuild repository uses WKD by default. During normal operation it should not |
35 |
be affected by this vulnerability". Reading the article again, I now see it |
36 |
also says that "In the worst case; Gentoo repository syncs will be slow or |
37 |
hang" which, as you suggest, could very well be what's happened on my system. |
38 |
Unfortunately, the article doesn't say what to do if this happens. |
39 |
|
40 |
Tomorrow I'll try investigating more. |
41 |
|
42 |
Stefano |
43 |
|
44 |
[1] https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html |