From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E2AC71382C5 for ; Thu, 25 Jan 2018 11:02:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 67B37E09A5; Thu, 25 Jan 2018 11:02:29 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0B697E0950 for ; Thu, 25 Jan 2018 11:02:29 +0000 (UTC) Received: from [10.100.0.22] (host-37-191-226-104.lynet.no [37.191.226.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: k_f) by smtp.gentoo.org (Postfix) with ESMTPSA id 3CD74335C09; Thu, 25 Jan 2018 11:02:26 +0000 (UTC) Subject: Re: [gentoo-dev] [News item review] Portage rsync tree verification To: gentoo-dev@lists.gentoo.org, =?UTF-8?B?TWljaGHFgiBHw7Nybnk=?= References: <1516874667.1833.4.camel@gentoo.org> From: Kristian Fiskerstrand Message-ID: <4b01cbd2-ce27-a701-46b8-472b32b9ef4e@gentoo.org> Date: Thu, 25 Jan 2018 12:01:12 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <1516874667.1833.4.camel@gentoo.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="OkzC1HWSBcqcqRhgbHXgXHJD0ct1vQd9D" X-Archives-Salt: 90d56e35-6dc8-4e4d-9d42-915e5d3df5a9 X-Archives-Hash: 894436ec116de80e41ce5bb653edcc8d This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --OkzC1HWSBcqcqRhgbHXgXHJD0ct1vQd9D Content-Type: multipart/mixed; boundary="tcF5pmFJCNa4yrRsidzu9L4Pxo4wGLbCx"; protected-headers="v1" From: Kristian Fiskerstrand Reply-To: k_f@gentoo.org To: gentoo-dev@lists.gentoo.org, =?UTF-8?B?TWljaGHFgiBHw7Nybnk=?= Message-ID: <4b01cbd2-ce27-a701-46b8-472b32b9ef4e@gentoo.org> Subject: Re: [gentoo-dev] [News item review] Portage rsync tree verification References: <1516874667.1833.4.camel@gentoo.org> In-Reply-To: <1516874667.1833.4.camel@gentoo.org> --tcF5pmFJCNa4yrRsidzu9L4Pxo4wGLbCx Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 01/25/2018 11:04 AM, Micha=C5=82 G=C3=B3rny wrote: > Hi, >=20 Thanks for your work on this! > This one would be committed once new sys-apps/portage release is > wrapped up and hits ~arch. >=20 > --- Title: Portage rsync tree verification Author: Micha=C5=82 G=C3=B3r= ny > Posted: 2018-01-xx Revision: 1 News-Item-Format: > 2.0 Display-If-Installed: =20 > Starting with sys-apps/portage-2.3.22, Portage enables strong > cryptographic verification of the Gentoo rsync tree by default. This > aims to prevent malicious third parties from altering the contents of > the ebuild repository received by our users. Just for sake of it, would remove "strong" here, as it is a description and not PR document. Should we be consistent with referencing, so e.g the Gentoo ebuild repository as distributed through rsync, or something? Atm we seem to be using different terms all of the place, so should try to harmonize a bit. >=20 > The verification is implemented using app-portage/gemato. Currently,=20 =2E.. "implemented in", as opposed to "using"? its implemented using various cryptographic primitives, but gemato is the implementation itself of sorts. > the whole repository is verified after syncing. On systems with slow=20 > hard drives, this could take around 2 minutes. If you wish to > disable it, you can disable the 'rsync-verify' flag on USE flag? > sys-apps/portage or set 'sync-rsync-verify-metamanifest =3D no' in your= > repos.conf. >=20 > Please note that the verification currently does not prevent Portage=20 > from using the repository after syncing. If 'emerge --sync' fails, do > not install any packages and retry syncing. In case of prolonged or > frequent verification failures, please make sure to report a bug=20 > including the failing mirror addresses (found in emerge.log). >=20 > The verification uses keys provided by the app-crypt/gentoo-keys=20 > package. The keys are refreshed from the keyserver before every use=20 > in order to check for revocation. The post-sync verification ensures=20 > that the key package is verified itself. However, manua > verification is required before the first use. Maybe some wording around binary keyring? e.g the verification uses information from the binary keyring provided by app-crypt/gentoo-keys? In particular the reference to "key package" might be misread (and the keyring consists of multiple public keyblocks, that includes much more information than the cryptographic keys per se) >=20 > On new Gentoo installations including portage-2.3.22, the stage3s? > verification of the keys will be covered by verifying the > installation media and repository snapshot signatures. On existing > installations, you need to manually compare the primary key > fingerprint (reported by gemato on every sync) against the official > Gentoo keys [1]. An example gemato output is: >=20 > INFO:root:Valid OpenPGP signature found: INFO:root:- primary key: > 1234567890ABCDEF1234567890ABCDEF12345678 INFO:root:- subkey: > FEDCBA0987654321FEDCBA0987654321FEDCBA09 >=20 > The primary key printed must match 'Gentoo Portage Snapshot Signing > Key' on the site. Please make sure to also check the certificate > used for the secure connection to the site! >=20 > [1]:https://www.gentoo.org/downloads/signatures/ --- >=20 --=20 Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 --tcF5pmFJCNa4yrRsidzu9L4Pxo4wGLbCx-- --OkzC1HWSBcqcqRhgbHXgXHJD0ct1vQd9D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEtOrRIMf4mkrqRycHJQt6/tY3nYUFAlppuPwACgkQJQt6/tY3 nYX9BQf/R6npNF5q8ZRU7+VYl93fZXp7RaJgS73zCBkyBZVCwKw696N49rcaL7tr /Xc+28jYQORFQ492DnDlcXrbEqpnbCZU5zRBvpmPZIqozIN+xAiTM3n/Uva9rHHI gUQjLpNpqNAiTvtref72Go0ttb0G0vHUggY1YYF/GiaalDf1G9IaqdPmfiluH2NR 20t2tXNCkvG3VJIB5RSb4ZMsGEjsAFaOvkBUoBP/sy4EPuBCca1vE2xkXicM0uhb 6ijbchG4ROixL31Ox2OhWHnvrIrY06qrnyAbSWJtihQycz27fw+2bGf9Cosu6Wq3 LASop2xew0+vaHk/zdRfrjK2vhMFHg== =F8bX -----END PGP SIGNATURE----- --OkzC1HWSBcqcqRhgbHXgXHJD0ct1vQd9D--