[gentoo-portage-dev] [PATCH 1/2] sync: Split key refresh into explicit WKD/keyserver phases

public inbox for gentoo-portage-dev@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-portage-dev] [PATCH 1/2] sync: Split key refresh into explicit WKD/keyserver phases
@ 2019-07-05  5:19 Michał Górny
  2019-07-05  5:19 ` [gentoo-portage-dev] [PATCH 2/2] repos.conf: Default to using Gentoo keyservers Michał Górny
  0 siblings, 1 reply; 3+ messages in thread
From: Michał Górny @ 2019-07-05  5:19 UTC (permalink / raw
  To: gentoo-portage-dev; +Cc: Michał Górny

Split key refresh into two parts: first try to refresh the key via WKD,
then via keyservers, rather than using the combined function that is
less explicit.  This ensures that users are correctly informed whether
keyservers are actually used, and therefore whether they may be subject
to SKS poisoning attacks.  Furthermore, it skips WKD from retry loop.

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 lib/portage/sync/syncbase.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/portage/sync/syncbase.py b/lib/portage/sync/syncbase.py
index d15bb6d14..46644d68e 100644
--- a/lib/portage/sync/syncbase.py
+++ b/lib/portage/sync/syncbase.py
@@ -252,11 +252,17 @@ class SyncBase(object):
 		@type openpgp_env: gemato.openpgp.OpenPGPEnvironment
 		"""
 		out = portage.output.EOutput(quiet=('--quiet' in self.options['emerge_config'].opts))
+		out.ebegin('Refreshing keys via WKD')
+		if openpgp_env.refresh_keys_wkd():
+			out.eend(0)
+			return
+		out.eend(1)
+
 		out.ebegin('Refreshing keys from keyserver{}'.format(
 			('' if self.repo.sync_openpgp_keyserver is None else ' ' + self.repo.sync_openpgp_keyserver)))
 		retry_decorator = self._key_refresh_retry_decorator()
 		if retry_decorator is None:
-			openpgp_env.refresh_keys(keyserver=self.repo.sync_openpgp_keyserver)
+			openpgp_env.refresh_keys_keyserver(keyserver=self.repo.sync_openpgp_keyserver)
 		else:
 			def noisy_refresh_keys():
 				"""
@@ -264,7 +270,7 @@ class SyncBase(object):
 				errors, display errors as soon as they occur.
 				"""
 				try:
-					openpgp_env.refresh_keys(keyserver=self.repo.sync_openpgp_keyserver)
+					openpgp_env.refresh_keys_keyserver(keyserver=self.repo.sync_openpgp_keyserver)
 				except Exception as e:
 					writemsg_level("%s\n" % (e,),
 						level=logging.ERROR, noiselevel=-1)
-- 
2.22.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [gentoo-portage-dev] [PATCH 2/2] repos.conf: Default to using Gentoo keyservers
  2019-07-05  5:19 [gentoo-portage-dev] [PATCH 1/2] sync: Split key refresh into explicit WKD/keyserver phases Michał Górny
@ 2019-07-05  5:19 ` Michał Górny
  2019-07-05  5:38   ` Zac Medico
  0 siblings, 1 reply; 3+ messages in thread
From: Michał Górny @ 2019-07-05  5:19 UTC (permalink / raw
  To: gentoo-portage-dev; +Cc: Michał Górny

Default to using hkps://keys.gentoo.org which are guaranteed to hold
the newest copies of Gentoo keys, are secured against key poisoning
and are more reliable than SKS.

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 cnf/repos.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cnf/repos.conf b/cnf/repos.conf
index e84840bf2..2d73b3e35 100644
--- a/cnf/repos.conf
+++ b/cnf/repos.conf
@@ -10,6 +10,7 @@ sync-rsync-verify-jobs = 1
 sync-rsync-verify-metamanifest = yes
 sync-rsync-verify-max-age = 24
 sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-release.asc
+sync-openpgp-keyserver = hkps://keys.gentoo.org
 sync-openpgp-key-refresh-retry-count = 40
 sync-openpgp-key-refresh-retry-overall-timeout = 1200
 sync-openpgp-key-refresh-retry-delay-exp-base = 2
-- 
2.22.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [gentoo-portage-dev] [PATCH 2/2] repos.conf: Default to using Gentoo keyservers
  2019-07-05  5:19 ` [gentoo-portage-dev] [PATCH 2/2] repos.conf: Default to using Gentoo keyservers Michał Górny
@ 2019-07-05  5:38   ` Zac Medico
  0 siblings, 0 replies; 3+ messages in thread
From: Zac Medico @ 2019-07-05  5:38 UTC (permalink / raw
  To: gentoo-portage-dev, Michał Górny


[-- Attachment #1.1: Type: text/plain, Size: 60 bytes --]

This series looks good. Please merge.
-- 
Thanks,
Zac


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 981 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-07-05  5:38 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-07-05  5:19 [gentoo-portage-dev] [PATCH 1/2] sync: Split key refresh into explicit WKD/keyserver phases Michał Górny
2019-07-05  5:19 ` [gentoo-portage-dev] [PATCH 2/2] repos.conf: Default to using Gentoo keyservers Michał Górny
2019-07-05  5:38   ` Zac Medico

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox