* [gentoo-portage-dev] [PATCH] emerge-webrsync: use gkeys to verify gpg signatures (bug 597918)
@ 2016-10-27 17:16 Zac Medico
2016-10-27 17:38 ` Brian Dolbec
2016-10-27 18:09 ` Alexander Berntsen
0 siblings, 2 replies; 5+ messages in thread
From: Zac Medico @ 2016-10-27 17:16 UTC (permalink / raw
To: gentoo-portage-dev; +Cc: Zac Medico
Use gkeys to verify gpg signatures by default. Refresh the gentoo
snapshot signing key before signature verification, in order to ensure
that the latest revocation data is available. Add an --insecure option
which disables gpg signature verification. Warn about man-in-the-middle
attacks when the --insecure option is used. Deprecate the pre-existing
webrsync-gpg feature since it requires manual gpg configuration.
X-Gentoo-Bug: 597918
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=597918
---
bin/emerge-webrsync | 51 +++++++++++++++++++++++++++++++++++++++++++++++----
man/make.conf.5 | 6 ++++--
2 files changed, 51 insertions(+), 6 deletions(-)
diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync
index 9961ad8..84609e0 100755
--- a/bin/emerge-webrsync
+++ b/bin/emerge-webrsync
@@ -66,13 +66,24 @@ fi
do_verbose=0
do_debug=0
keep=false
+insecure=false
+
+insecure_bypass_msg() {
+ wecho "The --insecure option can be used to bypass this step."
+ insecure_warning_msg
+}
+
+insecure_warning_msg() {
+ wecho "The --insecure option prevents detection of"
+ wecho "man-in-the-middle attacks!"
+}
if has webrsync-gpg ${FEATURES} ; then
- WEBSYNC_VERIFY_SIGNATURE=1
+ VERIFY_SIGNATURE_LEGACY_MODE=1
else
- WEBSYNC_VERIFY_SIGNATURE=0
+ VERIFY_SIGNATURE_LEGACY_MODE=0
fi
-if [ ${WEBSYNC_VERIFY_SIGNATURE} != 0 -a -z "${PORTAGE_GPG_DIR}" ]; then
+if [ ${VERIFY_SIGNATURE_LEGACY_MODE} != 0 -a -z "${PORTAGE_GPG_DIR}" ]; then
eecho "please set PORTAGE_GPG_DIR in make.conf"
exit 1
fi
@@ -176,7 +187,7 @@ check_file_signature() {
local file="$2"
local r=1
- if [ ${WEBSYNC_VERIFY_SIGNATURE} != 0 ]; then
+ if [ ${VERIFY_SIGNATURE_LEGACY_MODE} != 0 ]; then
__vecho "Checking signature ..."
@@ -186,6 +197,17 @@ check_file_signature() {
eecho "cannot check signature: gpg binary not found"
exit 1
fi
+ elif ! ${insecure}; then
+ __vecho "Checking signature ..."
+
+ # gkeys requires that the signature file be in the same directory
+ # as the snapshot
+ if [[ ${signature} != ${file}.gpgsig ]]; then
+ # this should not happen
+ eecho "assertion failed: ${signature} != ${file}.gpgsig"
+ exit 1
+ fi
+ gkeys verify -C gentoo -n snapshot -F "${file}" && r=0
else
r=0
fi
@@ -445,6 +467,7 @@ usage() {
Options:
--revert=yyyymmdd Revert to snapshot
+ --insecure Disable gpg signature verification
-k, --keep Keep snapshots in DISTDIR (don't delete)
-q, --quiet Only output errors
-v, --verbose Enable verbose output
@@ -467,6 +490,7 @@ main() {
local v=${arg#*=}
case ${arg} in
-h|--help) usage ;;
+ --insecure) insecure=true ;;
-k|--keep) keep=true ;;
-q|--quiet) PORTAGE_QUIET=1 ;;
-v|--verbose) do_verbose=1 ;;
@@ -512,6 +536,25 @@ main() {
exit 1
fi
+ if ${insecure}; then
+ insecure_warning_msg
+ elif [[ ${VERIFY_SIGNATURE_LEGACY_MODE} == 1 ]]; then
+ wecho "FEATURES=webrsync-gpg is deprecated."
+ wecho "By default, the new gkeys verification mode will be used"
+ wecho "when FEATURES=webrsync-gpg is not enabled."
+ else
+ if ! type -P gkeys >/dev/null; then
+ eecho "gkeys: command not found"
+ eecho "Please try again after installing gkeys: emerge app-crypt/gkeys"
+ insecure_bypass_msg
+ exit 1
+ elif ! gkeys refresh-key -C gentoo -n snapshot; then
+ eecho "gkeys refresh-key failed"
+ insecure_bypass_msg
+ exit 1
+ fi
+ fi
+
[[ ${do_debug} -eq 1 ]] && set -x
if [[ -n ${revert_date} ]] ; then
diff --git a/man/make.conf.5 b/man/make.conf.5
index aea189e..5b809ed 100644
--- a/man/make.conf.5
+++ b/man/make.conf.5
@@ -1,4 +1,4 @@
-.TH "MAKE.CONF" "5" "Feb 2016" "Portage VERSION" "Portage"
+.TH "MAKE.CONF" "5" "Oct 2016" "Portage VERSION" "Portage"
.SH "NAME"
make.conf \- custom settings for Portage
.SH "SYNOPSIS"
@@ -663,7 +663,9 @@ Portage would have to waste time validating ownership for each and every sync
operation.
.TP
.B webrsync-gpg
-Enable GPG verification when using \fIemerge\-webrsync\fR.
+Enable legacy GPG verification mode when using \fIemerge\-webrsync\fR.
+This feature is deprecated. By default, the new \fBgkeys\fR(1) verification
+mode will be used when this feature is not enabled.
.TP
.B xattr
Preserve extended attributes (filesystem-stored metadata) when installing
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [gentoo-portage-dev] [PATCH] emerge-webrsync: use gkeys to verify gpg signatures (bug 597918)
2016-10-27 17:16 [gentoo-portage-dev] [PATCH] emerge-webrsync: use gkeys to verify gpg signatures (bug 597918) Zac Medico
@ 2016-10-27 17:38 ` Brian Dolbec
2016-10-27 19:36 ` Zac Medico
2016-10-27 18:09 ` Alexander Berntsen
1 sibling, 1 reply; 5+ messages in thread
From: Brian Dolbec @ 2016-10-27 17:38 UTC (permalink / raw
To: gentoo-portage-dev
On Thu, 27 Oct 2016 10:16:42 -0700
Zac Medico <zmedico@gentoo.org> wrote:
> Use gkeys to verify gpg signatures by default. Refresh the gentoo
> snapshot signing key before signature verification, in order to ensure
> that the latest revocation data is available. Add an --insecure option
> which disables gpg signature verification. Warn about
> man-in-the-middle attacks when the --insecure option is used.
> Deprecate the pre-existing webrsync-gpg feature since it requires
> manual gpg configuration.
>
> X-Gentoo-Bug: 597918
> X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=597918
> ---
> bin/emerge-webrsync | 51
> +++++++++++++++++++++++++++++++++++++++++++++++----
> man/make.conf.5 | 6 ++++-- 2 files changed, 51 insertions(+), 6
> deletions(-)
>
LGTM
--
Brian Dolbec <dolsen>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-portage-dev] [PATCH] emerge-webrsync: use gkeys to verify gpg signatures (bug 597918)
2016-10-27 17:16 [gentoo-portage-dev] [PATCH] emerge-webrsync: use gkeys to verify gpg signatures (bug 597918) Zac Medico
2016-10-27 17:38 ` Brian Dolbec
@ 2016-10-27 18:09 ` Alexander Berntsen
2016-10-27 19:33 ` Zac Medico
1 sibling, 1 reply; 5+ messages in thread
From: Alexander Berntsen @ 2016-10-27 18:09 UTC (permalink / raw
To: gentoo-portage-dev
[-- Attachment #1.1: Type: text/plain, Size: 572 bytes --]
On 27/10/16 19:16, Zac Medico wrote:
> Use gkeys to verify gpg signatures by default. Refresh the gentoo
> snapshot signing key before signature verification, in order to
> ensure that the latest revocation data is available. Add an
> --insecure option which disables gpg signature verification. Warn
> about man-in-the-middle attacks when the --insecure option is used.
> Deprecate the pre-existing webrsync-gpg feature since it requires
> manual gpg configuration.
%s/ gpg/ OpenPGP/
--
Alexander
bernalex@gentoo.org
https://secure.plaimi.net/~alexander
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-portage-dev] [PATCH] emerge-webrsync: use gkeys to verify gpg signatures (bug 597918)
2016-10-27 18:09 ` Alexander Berntsen
@ 2016-10-27 19:33 ` Zac Medico
0 siblings, 0 replies; 5+ messages in thread
From: Zac Medico @ 2016-10-27 19:33 UTC (permalink / raw
To: gentoo-portage-dev
[-- Attachment #1.1: Type: text/plain, Size: 600 bytes --]
On 10/27/2016 11:09 AM, Alexander Berntsen wrote:
> On 27/10/16 19:16, Zac Medico wrote:
>> Use gkeys to verify gpg signatures by default. Refresh the gentoo
>> snapshot signing key before signature verification, in order to
>> ensure that the latest revocation data is available. Add an
>> --insecure option which disables gpg signature verification. Warn
>> about man-in-the-middle attacks when the --insecure option is used.
>> Deprecate the pre-existing webrsync-gpg feature since it requires
>> manual gpg configuration.
> %s/ gpg/ OpenPGP/
>
Thanks, fixed.
--
Thanks,
Zac
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 191 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-portage-dev] [PATCH] emerge-webrsync: use gkeys to verify gpg signatures (bug 597918)
2016-10-27 17:38 ` Brian Dolbec
@ 2016-10-27 19:36 ` Zac Medico
0 siblings, 0 replies; 5+ messages in thread
From: Zac Medico @ 2016-10-27 19:36 UTC (permalink / raw
To: gentoo-portage-dev
[-- Attachment #1.1: Type: text/plain, Size: 1036 bytes --]
On 10/27/2016 10:38 AM, Brian Dolbec wrote:
> On Thu, 27 Oct 2016 10:16:42 -0700
> Zac Medico <zmedico@gentoo.org> wrote:
>
>> Use gkeys to verify gpg signatures by default. Refresh the gentoo
>> snapshot signing key before signature verification, in order to ensure
>> that the latest revocation data is available. Add an --insecure option
>> which disables gpg signature verification. Warn about
>> man-in-the-middle attacks when the --insecure option is used.
>> Deprecate the pre-existing webrsync-gpg feature since it requires
>> manual gpg configuration.
>>
>> X-Gentoo-Bug: 597918
>> X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=597918
>> ---
>> bin/emerge-webrsync | 51
>> +++++++++++++++++++++++++++++++++++++++++++++++----
>> man/make.conf.5 | 6 ++++-- 2 files changed, 51 insertions(+), 6
>> deletions(-)
>>
>
> LGTM
>
Thanks, merged with %s/ gpg/ OpenPGP/:
https://gitweb.gentoo.org/proj/portage.git/commit/?id=98c250cceaf380d6dbeacac90482a5d1956dcb80
--
Thanks,
Zac
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 191 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-10-27 19:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-27 17:16 [gentoo-portage-dev] [PATCH] emerge-webrsync: use gkeys to verify gpg signatures (bug 597918) Zac Medico
2016-10-27 17:38 ` Brian Dolbec
2016-10-27 19:36 ` Zac Medico
2016-10-27 18:09 ` Alexander Berntsen
2016-10-27 19:33 ` Zac Medico
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox