Re: [gentoo-user] syncing via via git and signature failure

[gevisz <gevisz@gmail.com>]

2018-07-05 1:25 GMT+03:00 Mick <michaelkintzios@gmail.com>:
> On Wednesday, 4 July 2018 19:32:33 BST gevisz wrote:
>> 2018-07-04 21:01 GMT+03:00 Mick <michaelkintzios@gmail.com>:
>> > On Wednesday, 4 July 2018 18:57:56 BST gevisz wrote:
>> >> 2018-07-04 11:55 GMT+03:00 Alex Thorne <lexiconifernelius@gmail.com>:
>> >> >> I use rsync and get the following for more than a day now;
>> >> >>
>> >> >> !!! Manifest verification failed:
>> >> >> OpenPGP verification failed:
>> >> >> gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
>> >> >> gpg:                using RSA key
>> >> >> E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
>> >> >> gpg: Can't check signature: No public key
>> >> >
>> >> > I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no
>> >> > longer installed and `/var/lib/gentoo/gkeys` is missing. I have no idea
>> >> > how this happened. Perhaps it somehow got into `emerge --depclean`
>> >> > and I didn't catch it.
>> >>
>> >> No. Gentoo maintainers just overlooked that all Gentoo signing keys
>> >> expired on July 1, and added new openpgp-keys-gentoo into portage
>> >> tree only on July 2.
>> >>
>> >> So, since July 1, rsync cannot verify any new portage tree and cannot
>> >> download app-crypt/openpgp-keys-gentoo-release-20180702
>> >>
>> >> It was discovered in the thread
>> >> "All Gentoo signing key expired and no way to fix it"
>> >
>> > Is there a documented manual workaround we could follow at present,
>> > irrespective of our sync'ing mechanism of choice?

It seems that everything is explained in
https://wiki.gentoo.org/wiki/Portage_Security
(This link was first provided in this thread by methylherd.)

>> For me, it somehow worked by manually refreshing the Gentoo signing keys by
>> executing the following two commands:
>> # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys
>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys
>> 0xDB6B8C1F96D8BF6D in different order and sourcing /etc/profile
>>
>> But, please, note that I use emerge-webrsync to update the portage tree.
>
> Thanks gevisz, the first line to refresh keys fails, because in /var/lib/
> gentoo/ I only have a news/ subdirectory.

Interestingly, it was the second line that seemed to fail in my case.
(I was in a hurry and executed it so many times, so that I cannot
 say if for sure.)

But, as it has already been pointed out by Bill Kenworthy and
explained in https://wiki.gentoo.org/wiki/Portage_Security ,
the internal mechanisms for checking Gentoo signatures
are different between git, rsync and webrsync.