[gentoo-user] syncing via via git and signature failure

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-user] syncing via via git and signature failure
@ 2018-07-04  3:16 Bill Kenworthy
  2018-07-04  5:14 ` Adam Carter
  0 siblings, 1 reply; 17+ messages in thread
From: Bill Kenworthy @ 2018-07-04  3:16 UTC (permalink / raw
  To: gentoo-user@lists.gentoo.org

I am using git to sync portage and have added  the enabling line to
repos.conf:

"sync-git-verify-commit-signature = true"

but only ever get (been enabled for a week now):

* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys from keyserver ...                                   
[ ok ]
 * No valid signature found: unable to verify signature (missing key?)

Is there something else needed?  I do have
app-crypt/openpgp-keys-gentoo-release installed and updated.

BillK




^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04  3:16 [gentoo-user] syncing via via git and signature failure Bill Kenworthy
@ 2018-07-04  5:14 ` Adam Carter
  2018-07-04  8:55   ` Alex Thorne
  0 siblings, 1 reply; 17+ messages in thread
From: Adam Carter @ 2018-07-04  5:14 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 851 bytes --]

On Wed, Jul 4, 2018 at 1:16 PM, Bill Kenworthy <billk@iinet.net.au> wrote:

> I am using git to sync portage and have added  the enabling line to
> repos.conf:
>
> "sync-git-verify-commit-signature = true"
>
> but only ever get (been enabled for a week now):
>
> * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
>  * Refreshing keys from keyserver ...
> [ ok ]
>  * No valid signature found: unable to verify signature (missing key?)
>
> Is there something else needed?  I do have
> app-crypt/openpgp-keys-gentoo-release installed and updated.
>

I use rsync and get the following for more than a day now;

!!! Manifest verification failed:
OpenPGP verification failed:
gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
gpg: Can't check signature: No public key

[-- Attachment #2: Type: text/html, Size: 1399 bytes --]

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04  5:14 ` Adam Carter
@ 2018-07-04  8:55   ` Alex Thorne
  2018-07-04 17:13     ` Mick
  2018-07-04 17:57     ` gevisz
  0 siblings, 2 replies; 17+ messages in thread
From: Alex Thorne @ 2018-07-04  8:55 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

>
>
>> I use rsync and get the following for more than a day now;
>
> !!! Manifest verification failed:
> OpenPGP verification failed:
> gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
> gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
> gpg: Can't check signature: No public key
>
>
> I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no longer
installed and `/var/lib/gentoo/gkeys` is missing. I have no idea how this
happened. Perhaps it somehow got into `emerge --depclean` and I didn't
catch it.

Alex

[-- Attachment #2: Type: text/html, Size: 1125 bytes --]

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04  8:55   ` Alex Thorne
@ 2018-07-04 17:13     ` Mick
  2018-07-04 17:57     ` gevisz
  1 sibling, 0 replies; 17+ messages in thread
From: Mick @ 2018-07-04 17:13 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1435 bytes --]

On Wednesday, 4 July 2018 09:55:25 BST Alex Thorne wrote:
> >> I use rsync and get the following for more than a day now;
> > 
> > !!! Manifest verification failed:
> > OpenPGP verification failed:
> > gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
> > gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
> > gpg: Can't check signature: No public key
> > 
> > 
> > I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no longer
> 
> installed and `/var/lib/gentoo/gkeys` is missing. I have no idea how this
> happened. Perhaps it somehow got into `emerge --depclean` and I didn't
> catch it.
> 
> Alex

I use good ol' rsync, because git creates too big a local portage for my disk 
space requirements.

I came across the same problem today, after noticing the sync was hanging for 
a few minutes at:

>>> Syncing repository 'gentoo' into '/usr/portage'...
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys from keyserver ...

I'm guessing it was trying to connect to a key server and failing.  Eventually 
it continued, then sync'ed with a mirror and then arrived at the same "no 
public key" error.  Having waited for 15 years to arrive at a more secure 
method of validating the portage content, the need to sort out the 
infrastructure to support this shouldn't hopefully take too long.

Are there any news how/when this problem may be overcome?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04  8:55   ` Alex Thorne
  2018-07-04 17:13     ` Mick
@ 2018-07-04 17:57     ` gevisz
  2018-07-04 18:01       ` Mick
  1 sibling, 1 reply; 17+ messages in thread
From: gevisz @ 2018-07-04 17:57 UTC (permalink / raw
  To: gentoo-user

2018-07-04 11:55 GMT+03:00 Alex Thorne <lexiconifernelius@gmail.com>:
>>>
>> I use rsync and get the following for more than a day now;
>>
>> !!! Manifest verification failed:
>> OpenPGP verification failed:
>> gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
>> gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
>> gpg: Can't check signature: No public key
>>
>>
> I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no longer
> installed and `/var/lib/gentoo/gkeys` is missing. I have no idea how this
> happened. Perhaps it somehow got into `emerge --depclean` and I didn't catch
> it.

No. Gentoo maintainers just overlooked that all Gentoo signing keys expired
on July 1, and added new openpgp-keys-gentoo into portage tree only on July 2.

So, since July 1, rsync cannot verify any new portage tree and cannot download
app-crypt/openpgp-keys-gentoo-release-20180702

It was discovered in the thread
"All Gentoo signing key expired and no way to fix it"


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04 17:57     ` gevisz
@ 2018-07-04 18:01       ` Mick
  2018-07-04 18:32         ` gevisz
  0 siblings, 1 reply; 17+ messages in thread
From: Mick @ 2018-07-04 18:01 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 1234 bytes --]

On Wednesday, 4 July 2018 18:57:56 BST gevisz wrote:
> 2018-07-04 11:55 GMT+03:00 Alex Thorne <lexiconifernelius@gmail.com>:
> >> I use rsync and get the following for more than a day now;
> >> 
> >> !!! Manifest verification failed:
> >> OpenPGP verification failed:
> >> gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
> >> gpg:                using RSA key
> >> E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
> >> gpg: Can't check signature: No public key
> > 
> > I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no longer
> > installed and `/var/lib/gentoo/gkeys` is missing. I have no idea how this
> > happened. Perhaps it somehow got into `emerge --depclean` and I didn't
> > catch it.
> 
> No. Gentoo maintainers just overlooked that all Gentoo signing keys expired
> on July 1, and added new openpgp-keys-gentoo into portage tree only on July
> 2.
> 
> So, since July 1, rsync cannot verify any new portage tree and cannot
> download app-crypt/openpgp-keys-gentoo-release-20180702
> 
> It was discovered in the thread
> "All Gentoo signing key expired and no way to fix it"

Is there a documented manual workaround we could follow at present, 
irrespective of our sync'ing mechanism of choice?

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04 18:01       ` Mick
@ 2018-07-04 18:32         ` gevisz
  2018-07-04 22:25           ` Mick
  2018-07-04 22:32           ` Bill Kenworthy
  0 siblings, 2 replies; 17+ messages in thread
From: gevisz @ 2018-07-04 18:32 UTC (permalink / raw
  To: gentoo-user

2018-07-04 21:01 GMT+03:00 Mick <michaelkintzios@gmail.com>:
> On Wednesday, 4 July 2018 18:57:56 BST gevisz wrote:
>> 2018-07-04 11:55 GMT+03:00 Alex Thorne <lexiconifernelius@gmail.com>:
>> >> I use rsync and get the following for more than a day now;
>> >>
>> >> !!! Manifest verification failed:
>> >> OpenPGP verification failed:
>> >> gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
>> >> gpg:                using RSA key
>> >> E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
>> >> gpg: Can't check signature: No public key
>> >
>> > I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no longer
>> > installed and `/var/lib/gentoo/gkeys` is missing. I have no idea how this
>> > happened. Perhaps it somehow got into `emerge --depclean` and I didn't
>> > catch it.
>>
>> No. Gentoo maintainers just overlooked that all Gentoo signing keys expired
>> on July 1, and added new openpgp-keys-gentoo into portage tree only on July
>> 2.
>>
>> So, since July 1, rsync cannot verify any new portage tree and cannot
>> download app-crypt/openpgp-keys-gentoo-release-20180702
>>
>> It was discovered in the thread
>> "All Gentoo signing key expired and no way to fix it"
>
> Is there a documented manual workaround we could follow at present,
> irrespective of our sync'ing mechanism of choice?

For me, it somehow worked by manually refreshing the Gentoo signing keys by
executing the following two commands:
# gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys
# gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0xDB6B8C1F96D8BF6D
in different order and sourcing /etc/profile

But, please, note that I use emerge-webrsync to update the portage tree.


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04 18:32         ` gevisz
@ 2018-07-04 22:25           ` Mick
  2018-07-04 23:06             ` Floyd Anderson
                               ` (2 more replies)
  2018-07-04 22:32           ` Bill Kenworthy
  1 sibling, 3 replies; 17+ messages in thread
From: Mick @ 2018-07-04 22:25 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 2149 bytes --]

On Wednesday, 4 July 2018 19:32:33 BST gevisz wrote:
> 2018-07-04 21:01 GMT+03:00 Mick <michaelkintzios@gmail.com>:
> > On Wednesday, 4 July 2018 18:57:56 BST gevisz wrote:
> >> 2018-07-04 11:55 GMT+03:00 Alex Thorne <lexiconifernelius@gmail.com>:
> >> >> I use rsync and get the following for more than a day now;
> >> >> 
> >> >> !!! Manifest verification failed:
> >> >> OpenPGP verification failed:
> >> >> gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
> >> >> gpg:                using RSA key
> >> >> E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
> >> >> gpg: Can't check signature: No public key
> >> > 
> >> > I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no
> >> > longer
> >> > installed and `/var/lib/gentoo/gkeys` is missing. I have no idea how
> >> > this
> >> > happened. Perhaps it somehow got into `emerge --depclean` and I didn't
> >> > catch it.
> >> 
> >> No. Gentoo maintainers just overlooked that all Gentoo signing keys
> >> expired
> >> on July 1, and added new openpgp-keys-gentoo into portage tree only on
> >> July
> >> 2.
> >> 
> >> So, since July 1, rsync cannot verify any new portage tree and cannot
> >> download app-crypt/openpgp-keys-gentoo-release-20180702
> >> 
> >> It was discovered in the thread
> >> "All Gentoo signing key expired and no way to fix it"
> > 
> > Is there a documented manual workaround we could follow at present,
> > irrespective of our sync'ing mechanism of choice?
> 
> For me, it somehow worked by manually refreshing the Gentoo signing keys by
> executing the following two commands:
> # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys
> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys
> 0xDB6B8C1F96D8BF6D in different order and sourcing /etc/profile
> 
> But, please, note that I use emerge-webrsync to update the portage tree.

Thanks gevisz, the first line to refresh keys fails, because in /var/lib/
gentoo/ I only have a news/ subdirectory.

Interestingly, I already have app-crypt/openpgp-keys-gentoo-release installed, 
but still get 'gpg: Can't check signature: No public key' error when running 
rsync.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04 22:25           ` Mick
@ 2018-07-04 23:06             ` Floyd Anderson
  2018-07-05  2:57               ` John Covici
  2018-07-04 23:28             ` methylherd
  2018-07-05  9:47             ` gevisz
  2 siblings, 1 reply; 17+ messages in thread
From: Floyd Anderson @ 2018-07-04 23:06 UTC (permalink / raw
  To: gentoo-user

On Wed, 04 Jul 2018 23:25:16 +0100
Mick <michaelkintzios@gmail.com> wrote:
>
>Thanks gevisz, the first line to refresh keys fails, because in /var/lib/
>gentoo/ I only have a news/ subdirectory.
>
>Interestingly, I already have app-crypt/openpgp-keys-gentoo-release installed,
>but still get 'gpg: Can't check signature: No public key' error when running
>rsync.

For me, using the keys from package:

  app-crypt/openpgp-keys-gentoo-release-20180703 [1]

and running gemato with those:

  # gemato verify -K /tmp/gentoo-release.asc.20180703 /usr/portage/

solves the issue. Afterwards I was able to update (pulls and install the 
new version app-crypt/openpgp-keys-gentoo-release-20180703).

Hope that helps.


References:

  - [1] <https://dev.gentoo.org/~mgorny/dist/openpgp-keys/gentoo-release.asc.20180703.gz>



-- 
Regards,
floyd



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04 23:06             ` Floyd Anderson
@ 2018-07-05  2:57               ` John Covici
  2018-07-05 16:06                 ` Floyd Anderson
  0 siblings, 1 reply; 17+ messages in thread
From: John Covici @ 2018-07-05  2:57 UTC (permalink / raw
  To: gentoo-user

On Wed, 04 Jul 2018 19:06:29 -0400,
Floyd Anderson wrote:
> 
> On Wed, 04 Jul 2018 23:25:16 +0100
> Mick <michaelkintzios@gmail.com> wrote:
> > 
> > Thanks gevisz, the first line to refresh keys fails, because in /var/lib/
> > gentoo/ I only have a news/ subdirectory.
> > 
> > Interestingly, I already have app-crypt/openpgp-keys-gentoo-release installed,
> > but still get 'gpg: Can't check signature: No public key' error when running
> > rsync.
> 
> For me, using the keys from package:
> 
>  app-crypt/openpgp-keys-gentoo-release-20180703 [1]
> 
> and running gemato with those:
> 
>  # gemato verify -K /tmp/gentoo-release.asc.20180703 /usr/portage/
> 
> solves the issue. Afterwards I was able to update (pulls and
> install the new version
> app-crypt/openpgp-keys-gentoo-release-20180703).
> 
> Hope that helps.
> 
> 
> References:
> 
>  - [1] <https://dev.gentoo.org/~mgorny/dist/openpgp-keys/gentoo-release.asc.20180703.gz>

I got the following when running your command:
gemato verify -K /tmp/gentoo-release.asc.20180703 /usr/portage/
INFO:root:Refreshing keys from keyserver...
INFO:root:Keys refreshed.
ERROR:root:Top-level Manifest not found in /usr/portage/

How can I fix, or do I need to fix?

Thanks.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici wb2una
         covici@ccs.covici.com


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-05  2:57               ` John Covici
@ 2018-07-05 16:06                 ` Floyd Anderson
  2018-07-06 23:40                   ` Bill Kenworthy
  0 siblings, 1 reply; 17+ messages in thread
From: Floyd Anderson @ 2018-07-05 16:06 UTC (permalink / raw
  To: gentoo-user

On Wed, 04 Jul 2018 22:57:05 -0400
John Covici <covici@ccs.covici.com> wrote:
>
>I got the following when running your command:
>gemato verify -K /tmp/gentoo-release.asc.20180703 /usr/portage/
>INFO:root:Refreshing keys from keyserver...
>INFO:root:Keys refreshed.

To be more specific, I wasn't interested in verifying the tree. My main 
goal was to get:

  INFO:root:Keys refreshed.

because my sync/update script hung at:

  INFO:root:Refreshing keys from keyserver...

all the time, caused by:

  gpg: Can't check signature: No public key

result, so I wasn't able to update.

>ERROR:root:Top-level Manifest not found in /usr/portage/
>
>How can I fix, or do I need to fix?

I've no idea why your portage tree doesn't have a top-level Manifest 
file (assuming "/usr/portage" is the location of your tree), but it 
should be created/updated on next syncing.


-- 
Regards,
floyd



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-05 16:06                 ` Floyd Anderson
@ 2018-07-06 23:40                   ` Bill Kenworthy
  2018-07-07  1:42                     ` Floyd Anderson
  0 siblings, 1 reply; 17+ messages in thread
From: Bill Kenworthy @ 2018-07-06 23:40 UTC (permalink / raw
  To: gentoo-user

On 06/07/18 00:06, Floyd Anderson wrote:
> On Wed, 04 Jul 2018 22:57:05 -0400
> John Covici <covici@ccs.covici.com> wrote:
>>
>> I got the following when running your command:
>> gemato verify -K /tmp/gentoo-release.asc.20180703 /usr/portage/
>> INFO:root:Refreshing keys from keyserver...
>> INFO:root:Keys refreshed.
>
> To be more specific, I wasn't interested in verifying the tree. My
> main goal was to get:
>
>  INFO:root:Keys refreshed.
>
> because my sync/update script hung at:
>
>  INFO:root:Refreshing keys from keyserver...
>
> all the time, caused by:
>
>  gpg: Can't check signature: No public key
>
> result, so I wasn't able to update.
>
>> ERROR:root:Top-level Manifest not found in /usr/portage/
>>
>> How can I fix, or do I need to fix?
>
> I've no idea why your portage tree doesn't have a top-level Manifest
> file (assuming "/usr/portage" is the location of your tree), but it
> should be created/updated on next syncing.
>
>

I still have this error and  Ive tried a number of things including:

gemato create -p ebuild -K /usr/share/openpgp-keys/gentoo-release.asc
/usr/portage/

next emerge --sync error-ed on a lot of private manifest files but
missing toot manifest error disappeared.  Deleted them and successfully
resynced.

olympus /usr/portage # gemato verify -s -K
/usr/share/openpgp-keys/gentoo-release.asc /usr/portage/
INFO:root:Refreshing keys from keyserver...
INFO:root:Keys refreshed.
ERROR:root:Top-level Manifest /usr/portage/Manifest is not OpenPGP signed
olympus /usr/portage #

also did a "git reset --hard"

still get:

olympus /usr/portage # emerge --sync
>>> Syncing repository 'gentoo' into '/usr/portage'...
/usr/bin/git pull
Already up to date.
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys from keyserver
...                                                                                                                                                
[ ok ]
 * No valid signature found: unable to verify signature (missing key?)
q: Updating ebuild cache in /usr/portage ...


BillK




^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-06 23:40                   ` Bill Kenworthy
@ 2018-07-07  1:42                     ` Floyd Anderson
  2018-07-07  4:15                       ` Bill Kenworthy
  0 siblings, 1 reply; 17+ messages in thread
From: Floyd Anderson @ 2018-07-07  1:42 UTC (permalink / raw
  To: gentoo-user

Hi Bill,

On Sat, 07 Jul 2018 07:40:00 +0800
Bill Kenworthy <billk@iinet.net.au> wrote:
>
>I still have this error and  Ive tried a number of things including:
>
>gemato create -p ebuild -K /usr/share/openpgp-keys/gentoo-release.asc
>/usr/portage/
>
>next emerge --sync error-ed on a lot of private manifest files but
>missing toot manifest error disappeared.  Deleted them and successfully
>resynced.
>
>olympus /usr/portage # gemato verify -s -K
>/usr/share/openpgp-keys/gentoo-release.asc /usr/portage/
>INFO:root:Refreshing keys from keyserver...
>INFO:root:Keys refreshed.
>ERROR:root:Top-level Manifest /usr/portage/Manifest is not OpenPGP signed
>olympus /usr/portage #
>
>also did a "git reset --hard"
>
>still get:
>
>olympus /usr/portage # emerge --sync
>>>> Syncing repository 'gentoo' into '/usr/portage'...
>/usr/bin/git pull
>Already up to date.
> * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
> * Refreshing keys from keyserver
>...                                                                                                                                                
>[ ok ]
> * No valid signature found: unable to verify signature (missing key?)
>q: Updating ebuild cache in /usr/portage ...

please be aware of the context of my response to Mick. He use *rsync* 
and so do I. It seems you are using Git and thus, a different tree 
verification mechanism. I don't know why you have gemato installed, 
because it comes usually only with sys-apps/portage[rsync-verify] set 
and is only related to *rsync* therefore.

Have a look at:

  - [1] <https://www.gentoo.org/glep/glep-0074.html>
  - [2] <https://www.gentoo.org/support/news-items/2018-01-30-portage-rsync-verification.html>
  - [3] <https://wiki.gentoo.org/wiki/Portage_Security>

for some further information. Maybe:

  $ git status --untracked-files

within your tree location can help to identify and sanitise the tree 
from any of your (with gemato) created files.


-- 
Regards,
floyd



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-07  1:42                     ` Floyd Anderson
@ 2018-07-07  4:15                       ` Bill Kenworthy
  0 siblings, 0 replies; 17+ messages in thread
From: Bill Kenworthy @ 2018-07-07  4:15 UTC (permalink / raw
  To: gentoo-user

On 07/07/18 09:42, Floyd Anderson wrote:
> Hi Bill,
>
> On Sat, 07 Jul 2018 07:40:00 +0800
> Bill Kenworthy <billk@iinet.net.au> wrote:
>>
>> I still have this error and  Ive tried a number of things including:
>>
>> gemato create -p ebuild -K /usr/share/openpgp-keys/gentoo-release.asc
>> /usr/portage/
>>
>> next emerge --sync error-ed on a lot of private manifest files but
>> missing toot manifest error disappeared.  Deleted them and successfully
>> resynced.
>>
>> olympus /usr/portage # gemato verify -s -K
>> /usr/share/openpgp-keys/gentoo-release.asc /usr/portage/
>> INFO:root:Refreshing keys from keyserver...
>> INFO:root:Keys refreshed.
>> ERROR:root:Top-level Manifest /usr/portage/Manifest is not OpenPGP
>> signed
>> olympus /usr/portage #
>>
>> also did a "git reset --hard"
>>
>> still get:
>>
>> olympus /usr/portage # emerge --sync
>>>>> Syncing repository 'gentoo' into '/usr/portage'...
>> /usr/bin/git pull
>> Already up to date.
>>  * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
>>  * Refreshing keys from keyserver
>> ...                                                                                                                                                
>>
>> [ ok ]
>>  * No valid signature found: unable to verify signature (missing key?)
>> q: Updating ebuild cache in /usr/portage ...
>
> please be aware of the context of my response to Mick. He use *rsync*
> and so do I. It seems you are using Git and thus, a different tree
> verification mechanism. I don't know why you have gemato installed,
> because it comes usually only with sys-apps/portage[rsync-verify] set
> and is only related to *rsync* therefore.
>
> Have a look at:
>
>  - [1] <https://www.gentoo.org/glep/glep-0074.html>
>  - [2]
> <https://www.gentoo.org/support/news-items/2018-01-30-portage-rsync-verification.html>
>  - [3] <https://wiki.gentoo.org/wiki/Portage_Security>
>
> for some further information. Maybe:
>
>  $ git status --untracked-files
>
> within your tree location can help to identify and sanitise the tree
> from any of your (with gemato) created files.
>
>
Brings up all the manifest files so I'll clean them out, resync and
see.  I do have rsync-verify set but I would not have thought that the
problem.  The system was converted to git syncing (by deletion and
recreating) soon after git became available so it could be something
ancient is the cause.  None of the docs I have examined seem to cover
portage and git problems very well.


BillK




^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04 22:25           ` Mick
  2018-07-04 23:06             ` Floyd Anderson
@ 2018-07-04 23:28             ` methylherd
  2018-07-05  9:47             ` gevisz
  2 siblings, 0 replies; 17+ messages in thread
From: methylherd @ 2018-07-04 23:28 UTC (permalink / raw
  To: gentoo-user


[-- Attachment #1.1: Type: text/plain, Size: 3055 bytes --]



Am 05.07.2018 um 00:25 schrieb Mick:
> On Wednesday, 4 July 2018 19:32:33 BST gevisz wrote:
>> 2018-07-04 21:01 GMT+03:00 Mick <michaelkintzios@gmail.com>:
>>> On Wednesday, 4 July 2018 18:57:56 BST gevisz wrote:
>>>> 2018-07-04 11:55 GMT+03:00 Alex Thorne <lexiconifernelius@gmail.com>:
>>>>>> I use rsync and get the following for more than a day now;
>>>>>>
>>>>>> !!! Manifest verification failed:
>>>>>> OpenPGP verification failed:
>>>>>> gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
>>>>>> gpg:                using RSA key
>>>>>> E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
>>>>>> gpg: Can't check signature: No public key
>>>>>
>>>>> I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no
>>>>> longer
>>>>> installed and `/var/lib/gentoo/gkeys` is missing. I have no idea how
>>>>> this
>>>>> happened. Perhaps it somehow got into `emerge --depclean` and I didn't
>>>>> catch it.
>>>>
>>>> No. Gentoo maintainers just overlooked that all Gentoo signing keys
>>>> expired
>>>> on July 1, and added new openpgp-keys-gentoo into portage tree only on
>>>> July
>>>> 2.
>>>>
>>>> So, since July 1, rsync cannot verify any new portage tree and cannot
>>>> download app-crypt/openpgp-keys-gentoo-release-20180702
>>>>
>>>> It was discovered in the thread
>>>> "All Gentoo signing key expired and no way to fix it"
>>>
>>> Is there a documented manual workaround we could follow at present,
>>> irrespective of our sync'ing mechanism of choice?
>>
>> For me, it somehow worked by manually refreshing the Gentoo signing keys by
>> executing the following two commands:
>> # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys
>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys
>> 0xDB6B8C1F96D8BF6D in different order and sourcing /etc/profile
>>
>> But, please, note that I use emerge-webrsync to update the portage tree.
> 
> Thanks gevisz, the first line to refresh keys fails, because in /var/lib/
> gentoo/ I only have a news/ subdirectory.
> 
> Interestingly, I already have app-crypt/openpgp-keys-gentoo-release installed, 
> but still get 'gpg: Can't check signature: No public key' error when running 
> rsync.
> 
I had the same error (no public key) and fixed it today with a simple
re-emerge. After that, sync runs without a problem.

Your keyfile location depends on the way you sync (git,rsync,webrsync).
There is a nice wiki page for this.[1]

I use portage with rsync, so I don't need app-crypt/gentoo-keys which
should install the keyring for webrsync.

First, i moved /usr/share/openpgp-keys/gentoo-release.asc, looked for
the right key id, fetched the key from the keyserver, there was no
difference because the Key ID published on gentoo.org is too old :-D


After updating
=app-crypt/openpgp-keys-gentoo-release-20180702

=app-crypt/openpgp-keys-gentoo-release-20180703


I've no clue why portage uses a key for only 1 day, but - everything
works :-)


[1] https://wiki.gentoo.org/wiki/Portage_Security


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04 22:25           ` Mick
  2018-07-04 23:06             ` Floyd Anderson
  2018-07-04 23:28             ` methylherd
@ 2018-07-05  9:47             ` gevisz
  2 siblings, 0 replies; 17+ messages in thread
From: gevisz @ 2018-07-05  9:47 UTC (permalink / raw
  To: gentoo-user

2018-07-05 1:25 GMT+03:00 Mick <michaelkintzios@gmail.com>:
> On Wednesday, 4 July 2018 19:32:33 BST gevisz wrote:
>> 2018-07-04 21:01 GMT+03:00 Mick <michaelkintzios@gmail.com>:
>> > On Wednesday, 4 July 2018 18:57:56 BST gevisz wrote:
>> >> 2018-07-04 11:55 GMT+03:00 Alex Thorne <lexiconifernelius@gmail.com>:
>> >> >> I use rsync and get the following for more than a day now;
>> >> >>
>> >> >> !!! Manifest verification failed:
>> >> >> OpenPGP verification failed:
>> >> >> gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
>> >> >> gpg:                using RSA key
>> >> >> E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
>> >> >> gpg: Can't check signature: No public key
>> >> >
>> >> > I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no
>> >> > longer installed and `/var/lib/gentoo/gkeys` is missing. I have no idea
>> >> > how this happened. Perhaps it somehow got into `emerge --depclean`
>> >> > and I didn't catch it.
>> >>
>> >> No. Gentoo maintainers just overlooked that all Gentoo signing keys
>> >> expired on July 1, and added new openpgp-keys-gentoo into portage
>> >> tree only on July 2.
>> >>
>> >> So, since July 1, rsync cannot verify any new portage tree and cannot
>> >> download app-crypt/openpgp-keys-gentoo-release-20180702
>> >>
>> >> It was discovered in the thread
>> >> "All Gentoo signing key expired and no way to fix it"
>> >
>> > Is there a documented manual workaround we could follow at present,
>> > irrespective of our sync'ing mechanism of choice?

It seems that everything is explained in
https://wiki.gentoo.org/wiki/Portage_Security
(This link was first provided in this thread by methylherd.)

>> For me, it somehow worked by manually refreshing the Gentoo signing keys by
>> executing the following two commands:
>> # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys
>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys
>> 0xDB6B8C1F96D8BF6D in different order and sourcing /etc/profile
>>
>> But, please, note that I use emerge-webrsync to update the portage tree.
>
> Thanks gevisz, the first line to refresh keys fails, because in /var/lib/
> gentoo/ I only have a news/ subdirectory.

Interestingly, it was the second line that seemed to fail in my case.
(I was in a hurry and executed it so many times, so that I cannot
 say if for sure.)

But, as it has already been pointed out by Bill Kenworthy and
explained in https://wiki.gentoo.org/wiki/Portage_Security ,
the internal mechanisms for checking Gentoo signatures
are different between git, rsync and webrsync.


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [gentoo-user] syncing via via git and signature failure
  2018-07-04 18:32         ` gevisz
  2018-07-04 22:25           ` Mick
@ 2018-07-04 22:32           ` Bill Kenworthy
  1 sibling, 0 replies; 17+ messages in thread
From: Bill Kenworthy @ 2018-07-04 22:32 UTC (permalink / raw
  To: gentoo-user

On 05/07/18 02:32, gevisz wrote:
> 2018-07-04 21:01 GMT+03:00 Mick <michaelkintzios@gmail.com>:
>> On Wednesday, 4 July 2018 18:57:56 BST gevisz wrote:
>>> 2018-07-04 11:55 GMT+03:00 Alex Thorne <lexiconifernelius@gmail.com>:
>>>>> I use rsync and get the following for more than a day now;
>>>>>
>>>>> !!! Manifest verification failed:
>>>>> OpenPGP verification failed:
>>>>> gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
>>>>> gpg:                using RSA key
>>>>> E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
>>>>> gpg: Can't check signature: No public key
>>>> I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no longer
>>>> installed and `/var/lib/gentoo/gkeys` is missing. I have no idea how this
>>>> happened. Perhaps it somehow got into `emerge --depclean` and I didn't
>>>> catch it.
>>> No. Gentoo maintainers just overlooked that all Gentoo signing keys expired
>>> on July 1, and added new openpgp-keys-gentoo into portage tree only on July
>>> 2.
>>>
>>> So, since July 1, rsync cannot verify any new portage tree and cannot
>>> download app-crypt/openpgp-keys-gentoo-release-20180702
>>>
>>> It was discovered in the thread
>>> "All Gentoo signing key expired and no way to fix it"
>> Is there a documented manual workaround we could follow at present,
>> irrespective of our sync'ing mechanism of choice?
> For me, it somehow worked by manually refreshing the Gentoo signing keys by
> executing the following two commands:
> # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys
> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0xDB6B8C1F96D8BF6D
> in different order and sourcing /etc/profile
>
> But, please, note that I use emerge-webrsync to update the portage tree.
>
I believe the internal mechanisms are different between git and rsync. 
Ive tried manually updating the keys with no luck.


BillK




^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, other threads:[~2018-07-07  4:18 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-04  3:16 [gentoo-user] syncing via via git and signature failure Bill Kenworthy
2018-07-04  5:14 ` Adam Carter
2018-07-04  8:55   ` Alex Thorne
2018-07-04 17:13     ` Mick
2018-07-04 17:57     ` gevisz
2018-07-04 18:01       ` Mick
2018-07-04 18:32         ` gevisz
2018-07-04 22:25           ` Mick
2018-07-04 23:06             ` Floyd Anderson
2018-07-05  2:57               ` John Covici
2018-07-05 16:06                 ` Floyd Anderson
2018-07-06 23:40                   ` Bill Kenworthy
2018-07-07  1:42                     ` Floyd Anderson
2018-07-07  4:15                       ` Bill Kenworthy
2018-07-04 23:28             ` methylherd
2018-07-05  9:47             ` gevisz
2018-07-04 22:32           ` Bill Kenworthy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox