Re: [gentoo-dev] [News item review] Portage rsync tree verification

[Kristian Fiskerstrand <k_f@gentoo.org>]

[-- Attachment #1.1: Type: text/plain, Size: 3500 bytes --]

On 01/25/2018 11:04 AM, Michał Górny wrote:
> Hi,
> 

Thanks for your work on this!

> This one would be committed once new sys-apps/portage release is
> wrapped up and hits ~arch.
> 
> --- Title: Portage rsync tree verification Author: Michał Górny
> <mgorny@gentoo.org> Posted: 2018-01-xx Revision: 1 News-Item-Format:
> 2.0 Display-If-Installed: <sys-apps/portage-2.3.21
> 
> Starting with sys-apps/portage-2.3.22, Portage enables strong
> cryptographic verification of the Gentoo rsync tree by default. This
> aims to prevent malicious third parties from altering the contents of
> the ebuild repository received by our users.

Just for sake of it, would remove "strong" here, as it is a description
and not PR document. Should we be consistent with referencing, so e.g
the Gentoo ebuild repository as distributed through rsync, or something?
Atm we seem to be using different terms all of the place, so should try
to harmonize a bit.

> 
> The verification is implemented using app-portage/gemato. Currently, 

... "implemented in", as opposed to "using"? its implemented using
various cryptographic primitives, but gemato is the implementation
itself of sorts.

> the whole repository is verified after syncing. On systems with slow 
> hard drives, this could take around 2 minutes. If you wish to
> disable it, you can disable the 'rsync-verify' flag on

USE flag?

> sys-apps/portage or set 'sync-rsync-verify-metamanifest = no' in your
> repos.conf.
> 
> Please note that the verification currently does not prevent Portage 
> from using the repository after syncing. If 'emerge --sync' fails, do
> not install any packages and retry syncing. In case of prolonged or
> frequent verification failures, please make sure to report a bug 
> including the failing mirror addresses (found in emerge.log).
> 
> The verification uses keys provided by the app-crypt/gentoo-keys 
> package. The keys are refreshed from the keyserver before every use 
> in order to check for revocation. The post-sync verification ensures 
> that the key package is verified itself. However, manua
> verification is required before the first use.

Maybe some wording around binary keyring? e.g the verification uses
information from the binary keyring provided by app-crypt/gentoo-keys?
In particular the reference to "key package" might be misread (and the
keyring consists of multiple public keyblocks, that includes much more
information than the cryptographic keys per se)

> 
> On new Gentoo installations including portage-2.3.22, the

stage3s?

> verification of the keys will be covered by verifying the
> installation media and repository snapshot signatures. On existing
> installations, you need to manually compare the primary key
> fingerprint (reported by gemato on every sync) against the official
> Gentoo keys [1]. An example gemato output is:
> 
> INFO:root:Valid OpenPGP signature found: INFO:root:- primary key:
> 1234567890ABCDEF1234567890ABCDEF12345678 INFO:root:- subkey:
> FEDCBA0987654321FEDCBA0987654321FEDCBA09
> 
> The primary key printed must match 'Gentoo Portage Snapshot Signing
> Key' on the site. Please make sure to also check the certificate
> used for the secure connection to the site!
> 
> [1]:https://www.gentoo.org/downloads/signatures/ ---
> 


-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]