From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 4335413877A for ; Wed, 6 Aug 2014 21:33:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B4F50E0921; Wed, 6 Aug 2014 21:33:30 +0000 (UTC) Received: from mail-pd0-f178.google.com (mail-pd0-f178.google.com [209.85.192.178]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id F08DEE080C for ; Wed, 6 Aug 2014 21:33:29 +0000 (UTC) Received: by mail-pd0-f178.google.com with SMTP id w10so3985135pde.9 for ; Wed, 06 Aug 2014 14:33:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=k1SwdTIoxlNasoTOdo67N0Cyn0qRXzZOTAaJCE5hjuM=; b=YnYdIA4YQM9n8gavauMMmhpnh1wn62+qLNhsQJj6u/JjUp4oNFeZzt8OHgnCNGOu8C Ak6afUx6+6suI58B0FMAsfWP9eHsBkKZyRV7SAixhSm1fR/cQ1ZoC6tpP/mN1Xu+8zSD Dm7A51ID3w0moB9XKFd6U2WAbHtac6x9MZHle3pri5E3CAJr6cWUKa9pZnthsuAcQ53l xX2dPKNE13C7axyQwQVGyl6HCpmmobu7RZJuuc5wcWo+C+9rLrmFSD9XlMxR//YrJ9Wu 2COAAfuJcdOv1EMKRE1lYvL5o5pV7SVMQlio7Eoic/mwMUl2ORwlJbRpILH0ntSovdyS dutA== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-amd64@lists.gentoo.org Reply-to: gentoo-amd64@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.66.255.38 with SMTP id an6mr13522319pad.43.1407360808895; Wed, 06 Aug 2014 14:33:28 -0700 (PDT) Received: by 10.70.28.193 with HTTP; Wed, 6 Aug 2014 14:33:28 -0700 (PDT) In-Reply-To: References: Date: Wed, 6 Aug 2014 14:33:28 -0700 Message-ID: Subject: Re: [gentoo-amd64] Re: "For What It's Worth" (or How do I know my Gentoo source code hasn't been messed with?) From: Mark Knecht To: Gentoo AMD64 Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: ebc84f7c-edb2-4d93-8d4c-2143b86c934f X-Archives-Hash: cfc44d59c8773e0f8253fa7a76961e3f Hi Duncan On Mon, Aug 4, 2014 at 10:52 PM, Duncan <1i5t5.duncan@cox.net> wrote: > > 3) While #1 applies to the tree in general when it is rsynced, gentoo > does have a somewhat higher security sync method for the paranoid and to > support users behind firewalls which don't pass rsync. Instead of > running emerge sync, this method uses the emerge-webrsync tool, which > downloads the entire main gentoo tree as a gpg-signed tarball. If you > have FEATURES=webrsync-gpg set (see the make.conf manpage, FEATURES, > webrsync-gpg), portage will verify the gpg signature on this tarball. > I'm finally able to investigate this today. I'm not finding very detailed instructions anywhere , more like notes people would use if they've done this before and understand all the issues. Being that it's my first excursion down this road I have much to learn. OK, I've modified make.conf as such: FEATURES="buildpkg strict webrsync-gpg" PORTAGE_GPG_DIR="/etc/portage/gpg" and created /etc/portage/gpg: c2RAID6 portage # ls -al total 72 drwxr-xr-x 13 root root 4096 Aug 6 14:25 . drwxr-xr-x 87 root root 4096 Aug 6 09:10 .. drwxr-xr-x 2 root root 4096 Apr 27 10:26 bin -rw-r--r-- 1 root root 22 Jan 1 2014 categories drwxr-xr-x 2 root root 4096 Jul 6 09:42 env drwx------ 2 root root 4096 Aug 6 14:03 gpg -rw-r--r-- 1 root root 1573 Aug 6 14:03 make.conf lrwxrwxrwx 1 root root 63 Mar 5 2013 make.profile -> ../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde [the rest deleted...] eix-sync seems to be working but it may (or may not) be caught in some loop where it just keeps looking for older data. I let it go until it got back into July and then did a Ctrl-C: c2RAID6 portage # eix-sync -wa * Running emerge-webrsync Fetching most recent snapshot ... Trying to retrieve 20140805 snapshot from http://gentoo.osuosl.org ... Fetching file portage-20140805.tar.xz.md5sum ... Fetching file portage-20140805.tar.xz.gpgsig ... Fetching file portage-20140805.tar.xz ... Checking digest ... Checking signature ... gpg: Signature made Tue Aug 5 17:55:23 2014 PDT using RSA key ID C9189250 gpg: Can't check signature: No public key Fetching file portage-20140805.tar.bz2.md5sum ... Fetching file portage-20140805.tar.bz2.gpgsig ... Fetching file portage-20140805.tar.bz2 ... Checking digest ... Checking signature ... gpg: Signature made Tue Aug 5 17:55:22 2014 PDT using RSA key ID C9189250 gpg: Can't check signature: No public key Fetching file portage-20140805.tar.gz.md5sum ... 20140805 snapshot was not found Trying to retrieve 20140804 snapshot from http://gentoo.osuosl.org ... Fetching file portage-20140804.tar.xz.md5sum ... Fetching file portage-20140804.tar.xz.gpgsig ... Fetching file portage-20140804.tar.xz ... Checking digest ... Checking signature ... gpg: Signature made Mon Aug 4 17:55:27 2014 PDT using RSA key ID C9189250 gpg: Can't check signature: No public key QUESTIONS: 1) Is the 'No public key' message talking about me, or something at the source? I haven't got any keys so maybe i need to generate one? 2) Once I do get this working correctly it would make sense to me that I need to delete all existing distfiles to ensure that anything on my system actually came from this tarball. Is that correct? > So sync-method bottom line, if you're paranoid or simply want additional > gpg-signed security, use emerge-webrsync along with FEATURES=webrsync-gpg, > instead of normal rsync-based emerge sync. That pretty well ensures that > you're getting exactly the gentoo tree tarball gentoo built and signed, > which is certainly far more secure than normal rsync syncing, but because > the tarballing and signing is automated and covers the entire tree, > there's still the possibility that one or more files in that tarball are > compromised and that it hasn't been detected yet. Or, as we both have eluded to, the bad guy is intercepting the transmission and giving me a different tarball... For now, it's more than enough to take a baby first step. Thanks for all your sharing of info! Cheers, Mark