From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 14E9815808A for ; Wed, 30 Jul 2025 05:06:56 +0000 (UTC) Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) (Authenticated sender: relay-lists.gentoo.org@gentoo.org) by smtp.gentoo.org (Postfix) with ESMTPSA id 03EA7340F94 for ; Wed, 30 Jul 2025 05:06:56 +0000 (UTC) Received: from bobolink.gentoo.org (localhost [127.0.0.1]) by bobolink.gentoo.org (Postfix) with ESMTP id 018B1110377; Wed, 30 Jul 2025 05:06:55 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by bobolink.gentoo.org (Postfix) with ESMTPS id EB14F110377 for ; Wed, 30 Jul 2025 05:06:54 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9D374340F94 for ; Wed, 30 Jul 2025 05:06:54 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2F458286A for ; Wed, 30 Jul 2025 05:06:53 +0000 (UTC) From: "Eli Schwartz" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Eli Schwartz" Message-ID: <1753851990.4422a601583bdfadbe80a18115f5873c4a08f456.eschwartz@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: eclass/ X-VCS-Repository: repo/gentoo X-VCS-Files: eclass/sec-keys.eclass X-VCS-Directories: eclass/ X-VCS-Committer: eschwartz X-VCS-Committer-Name: Eli Schwartz X-VCS-Revision: 4422a601583bdfadbe80a18115f5873c4a08f456 X-VCS-Branch: master Date: Wed, 30 Jul 2025 05:06:53 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 6f040c30-0c70-415f-a9c9-a0dee0d09c52 X-Archives-Hash: 9eb48622cfb9d243d93abb0f3181baf0 commit: 4422a601583bdfadbe80a18115f5873c4a08f456 Author: Eli Schwartz gentoo org> AuthorDate: Wed Nov 27 20:09:21 2024 +0000 Commit: Eli Schwartz gentoo org> CommitDate: Wed Jul 30 05:06:30 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4422a601 sec-keys.eclass: new eclass The current state of verify-sig support is a bit awkward. We rely on validating distfiles against a known trusted keyring, but creating the known trusted keyring is basically all manual verification. We somehow decide an ascii armored key is good enough without any portage assistance, then arrange to download it and trust it by Manifest hash. How do we know when updating a key is actually safe? This eclass handles the problem in a manner inspired in part by pacman. We require an eclass variable that lists all permitted PGP fingerprints, and the eclass is responsible checking that list against the keys we will install. It comes with a mechanism for computing SRC_URI for a couple of well known locations, or you can append your own in the ebuild. Key rotations, both expected and malicious, are easily detected by checking the git log for changes to declared fingerprints in a bump. The former can be rationalized in the commit message. So can the latter, but in most cases those will be rejected during peer review. Signed-off-by: Eli Schwartz gentoo.org> eclass/sec-keys.eclass | 206 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 206 insertions(+) diff --git a/eclass/sec-keys.eclass b/eclass/sec-keys.eclass new file mode 100644 index 000000000000..ce0396be414a --- /dev/null +++ b/eclass/sec-keys.eclass @@ -0,0 +1,206 @@ +# Copyright 2024-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# @ECLASS: sec-keys.eclass +# @MAINTAINER: +# Eli Schwartz +# @AUTHOR: +# Eli Schwartz +# @SUPPORTED_EAPIS: 8 +# @BLURB: Provides a uniform way of handling ebuilds which package PGP key material +# @DESCRIPTION: +# This eclass provides a streamlined approach to finding suitable source +# material for OpenPGP keys used by the verify-sig eclass. Its primary +# purpose is to permit developers to easily and securely package new +# sec-keys/* packages. The eclass removes the risk of developers +# accidentally packaging malformed key material, or neglecting to +# notice when PGP identities have changed. +# +# To use the eclass, define SEC_KEYS_VALIDPGPKEYS to contain the +# fingerprint of the key and the short name of the key's owner. +# +# @EXAMPLE: +# Example use: +# +# @CODE +# SEC_KEYS_VALIDPGPKEYS=( +# '3DB7F3CA6C1D90B99FE25B38D4B476A4D175C54F:bjones:ubuntu' +# '4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github,openpgp' +# # key only available on personal website, use manual SRC_URI +# '5FD9B5EC8E3F12D11BA47D50F6D698C6F397D76B:awhite:manual' +# ) +# +# inherit sec-keys +# +# SRC_URI+="https://awhite.com/awhite.gpg -> awhite-${PV}.gpg" +# @CODE + +case ${EAPI} in + 8) ;; + *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; +esac + +if [[ ! ${_SEC_KEYS_ECLASS} ]]; then +_SEC_KEYS_ECLASS=1 + +inherit eapi9-pipestatus edo + +# @ECLASS_VARIABLE: SEC_KEYS_VALIDPGPKEYS +# @PRE_INHERIT +# @DEFAULT_UNSET +# @DESCRIPTION: +# Mapping of fingerprints, name, and optional locations of PGP keys to +# include, separated by colons. The allowed values for a location are: +# +# - gentoo -- fetch key by fingerprint from https://keys.gentoo.org +# +# - github -- fetch key from github.com/${name}.pgp +# +# - openpgp -- fetch key by fingerprint from https://keys.openpgp.org +# +# - ubuntu -- fetch key by fingerprint from http://keyserver.ubuntu.com +# +# - manual -- do not add to SRC_URI, the ebuild will provide a custom +# download location +_sec_keys_set_globals() { + local key fingerprint name loc locations=() remote + + for key in "${SEC_KEYS_VALIDPGPKEYS[@]}"; do + fingerprint=${key%%:*} + name=${key#${fingerprint}:}; name=${name%%:*} + IFS=, read -r -a locations <<<"${key##*:}" + [[ ${locations[@]} ]] || die "${ECLASS}: ${name}: PGP key remote is mandatory" + for loc in "${locations[@]}"; do + case ${loc} in + gentoo) remote="https://keys.gentoo.org/pks/lookup?op=get&search=0x${fingerprint}";; + github) remote="https://github.com/${name}.gpg";; + openpgp) remote="https://keys.openpgp.org/vks/v1/by-fingerprint/${fingerprint}";; + ubuntu) remote="https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${fingerprint}";; + # provided via manual SRC_URI + manual) continue;; + *) die "${ECLASS}: unknown PGP key remote: ${loc}";; + esac + SRC_URI+=" + ${remote} -> openpgp-keys-${name}-${loc}-${PV}.asc + " + done + done +} +_sec_keys_set_globals +unset -f _sec_keys_set_globals + +S=${WORKDIR} + +LICENSE="public-domain" +SLOT="0" + +IUSE="test" +PROPERTIES="test_network" +RESTRICT="!test? ( test )" + +BDEPEND=" + app-crypt/gnupg + test? ( app-crypt/pgpdump ) +" + + + +# @FUNCTION: sec-keys_src_compile +# @DESCRIPTION: +# Default src_compile override that: +# +# - imports all public keys into a keyring +# +# - validates that they are listed in SEC_KEYS_VALIDPGPKEYS +# +# - minifies and exports them back into a unified keyfile +sec-keys_src_compile() { + local -x GNUPGHOME=${WORKDIR}/gnupg + local fingerprint + local gpg_command=(gpg --export-options export-minimal) + + mkdir -m700 -p "${GNUPGHOME}" || die + cat <<- EOF > "${GNUPGHOME}"/gpg.conf || die + no-secmem-warning + EOF + + pushd "${DISTDIR}" >/dev/null || die + gpg --import ${A} || die + popd >/dev/null || die + + local line imported_keys=() found=0 + while IFS=: read -r -a line; do + if [[ ${line[0]} = pub ]]; then + # new key + found=0 + elif [[ ${found} = 0 && ${line[0]} = fpr ]]; then + # primary fingerprint + imported_keys+=("${line[9]}") + found=1 + fi + done < <(gpg --batch --list-keys --with-colons || die) + + printf '%s\n' "${imported_keys[@]}" | sort > imported_keys.list || die + printf '%s\n' "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}" | sort > allowed_keys.list || die + + local extra_keys=($(comm -23 imported_keys.list allowed_keys.list || die)) + local missing_keys=($(comm -13 imported_keys.list allowed_keys.list || die)) + + if [[ ${#extra_keys[@]} != 0 ]]; then + die "Too many keys found. Suspicious keys: ${extra_keys[@]}" + fi + if [[ ${#missing_keys[@]} != 0 ]]; then + die "Too few keys found. Unavailable keys: ${missing_keys[@]}" + fi + + for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do + local uids=() + mapfile -t uids < <("${gpg_command[@]}" --list-key --with-colons ${fingerprint} | awk -F: '/^uid/{print $10}' || die) + edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export --armor "${fingerprint}" > "${fingerprint}.asc" + cat ${fingerprint}.asc >> ${PN#openpgp-keys-}.asc || die + done +} + +sec-keys_src_test() { + local -x GNUPGHOME=${WORKDIR}/gnupg + local key fingerprint name server + local gpg_command=(gpg --export-options export-minimal) + + # Best-effort attempt to check for updates. keyservers can and usually + # do fail for weird reasons, (such as being unable to import a key + # without a uid) as well as normal reasons, like the key being exclusive + # to a different keyserver. this isn't a reason to fail src_test. + for server in keys.gentoo.org keys.openpgp.org keyserver.ubuntu.com; do + gpg --refresh-keys --keyserver "hkps://${server}" + done + for key in "${SEC_KEYS_VALIDPGPKEYS[@]}"; do + if [[ ${key##*:} = *github* ]]; then + name=${key#*:}; name=${name%%:*} + wget -qO- https://github.com/${name}.gpg | gpg --import + pipestatus || die + fi + done + + for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do + pgpdump "${fingerprint}.asc" > "${fingerprint}.pgpdump" || die + + "${gpg_command[@]}" --export "${fingerprint}" | pgpdump > "${fingerprint}.pgpdump.new" + pipestatus || die + + diff -u "${fingerprint}.pgpdump" "${fingerprint}.pgpdump.new" || die "updates available for PGP key: ${fingerprint}" + done + +} + +# @FUNCTION: sec-keys_src_install +# @DESCRIPTION: +# Default src_install override that installs an ascii-armored keyfile +# installed to the standard /usr/share/openpgp-keys. +sec-keys_src_install() { + insinto /usr/share/openpgp-keys + doins ${PN#openpgp-keys-}.asc +} + +fi + +EXPORT_FUNCTIONS src_compile src_test src_install