View previous topic :: View next topic |
Author |
Message |
vthriller n00b
Joined: 20 May 2024 Posts: 5
|
Posted: Mon May 20, 2024 3:40 am Post subject: [SOLVED] requesting "buildpkg signing for dummies" |
|
|
I'll start with a tangent for those obsessed with fighting XY problems: I'm using Code: | FEATURES="${FEATURES} buildpkg binpkg-multi-instance" | for all my systems, and I'd like to take advantage of official binpkgs while also keeping pkgs for locally built software. However, it seems that:
- it's impossible to install anything built from source if both buildpkg and binpkg-request-signature are present but not binpkg-signing;
- there's no way to selectively enable binpkg-request-signature for binpkgs downloaded from binhosts (unless there's some gross hack around BINPKG_GPG_VERIFY_BASE_COMMAND that I'm not even going to try to figure out because decades later GPG is still utterly confusing to me).
So I fugured: WTH, let's just sign my own pkgs, even if they're only going to be reused by mounting $PKGDIR through sshfs, if ever. How hard can it be? Yet after hours of reading https://wiki.gentoo.org/wiki/Binary_package_guide#Binary_package_OpenPGP_signing and https://wiki.gentoo.org/wiki/GnuPG over and over I still can't figure what's going on, and emerge --debug doesn't show anything relevant to GPG that I can use to narrow things down.
I'll show what's going on in a chroot with fresh stage3 for amd64, and I'll use dev-util/debugedit as an example since it's not available in pre-built form.
Code: |
random / # grep sync-uri /etc/portage/binrepos.conf/gentoobinhost.conf
sync-uri = https://distfiles.gentoo.org/releases/amd64/binpackages/23.0/x86-64
random / # getuto
* Initializing /etc/portage/gnupg ...
...blah blah blah...
random / # cat >> /etc/portage/make.conf <<EOL
PKGDIR="/var/cache/binpkgs"
PORT_LOGDIR="/var/log/emerge-buildlog"
MAKEOPTS="-j12"
EMERGE_DEFAULT_OPTS="-av --usepkg=y"
FEATURES="buildpkg binpkg-multi-instance"
FEATURES="\${FEATURES} getbinpkg binpkg-request-signature"
EOL
random / # emerge debugedit
...
>>> Completed installing dev-util/debugedit-5.0-r3 into /var/tmp/portage/dev-util/debugedit-5.0-r3/image
* Final size of build directory: 2728 KiB (2.6 MiB)
* Final size of installed tree: 176 KiB
...
>>> Done.
!!!
gpg: WARNING: unsafe ownership on homedir '/etc/portage/gnupg'
gpg: no valid OpenPGP data found.
[GNUPG:] NODATA 1
[GNUPG:] NODATA 2
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
[GNUPG:] FAILURE gpg-exit 33554433
!!! Invalid binary package: '/var/cache/binpkgs/dev-util/debugedit/debugedit-5.0-r3-1.gpkg.tar.724258', GPG verify failed
|
To me this already looks like it's trying to sign something despite empty output of emerge --info | grep binpkg-signing. Anyway, let's try to sign a thing:
Code: |
random / # gpg --full-generate-key
...
Please select what kind of key you want:
...
(9) ECC (sign and encrypt) *default*
Your selection? 9
Please select which elliptic curve you want:
(1) Curve 25519 *default*
...
Your selection? 1
...
Key is valid for? (0) 0
...
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/DD464F0492876A61B08CBAFEB9FE342E12D2B962.rev'
public and secret key created and signed.
random / # gpg --list-keys --keyid-format 0xlong
...
pub ed25519/0xB9FE342E12D2B962 2024-05-20 [SC]
DD464F0492876A61B08CBAFEB9FE342E12D2B962
uid [ultimate] boaty mcboatface <root@localhost>
sub cv25519/0x69D320A155303A30 2024-05-20 [E]
random / # cat >> /etc/portage/make.conf <<EOL
FEATURES="\${FEATURES} binpkg-signing"
BINPKG_GPG_SIGNING_GPG_HOME="/root/.gnupg"
BINPKG_GPG_SIGNING_KEY="0xB9FE342E12D2B962"
EOL
random / # emerge debugedit
...
>>> Unlocking GPG... flock: cannot open lock file /run/lock/portage-binpkg-gpg.lock: No such file or directory
!!! GPG unlock failed
random / # mkdir /run/lock
random / # emerge debugedit
...
>>> Unlocking GPG... unlocked
>>> Verifying ebuild manifests
>>> Emerging (1 of 1) dev-util/debugedit-5.0-r3::gentoo
...
>>> Completed installing dev-util/debugedit-5.0-r3 into /var/tmp/portage/dev-util/debugedit-5.0-r3/image
...
>>> Done.
!!!
gpg: WARNING: unsafe ownership on homedir '/etc/portage/gnupg'
[GNUPG:] PLAINTEXT 74 0
[GNUPG:] NEWSIG
gpg: Signature made Mon May 20 03:15:06 2024 -00
gpg: using EDDSA key DD464F0492876A61B08CBAFEB9FE342E12D2B962
[GNUPG:] ERRSIG B9FE342E12D2B962 22 10 01 1716174906 9 DD464F0492876A61B08CBAFEB9FE342E12D2B962
[GNUPG:] NO_PUBKEY B9FE342E12D2B962
gpg: Can't check signature: No public key
[GNUPG:] FAILURE gpg-exit 33554433
gpg: can't create `/etc/portage/gnupg/random_seed': Permission denied
!!! Invalid binary package: '/var/cache/binpkgs/dev-util/debugedit/debugedit-5.0-r3-2.gpkg.tar.738588', GPG verify failed
|
Huh? Doesn't matter whether I use ECC or RSA, whether I enter or omit passphrase, whether I kill leftover gpg-agent nonsense that keeps running daemonized for some reason... WAIDW?
Last edited by vthriller on Tue May 28, 2024 6:22 am; edited 1 time in total |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9609 Location: beyond the rim
|
Posted: Wed May 22, 2024 7:32 am Post subject: |
|
|
Disclaimer: This is just an educated guess.
Going by the output I'd suspect there is just an issue with using different $HOME directories for signing and validation:
BINPKG_GPG_SIGNING_GPG_HOME="/root/.gnupg"
That is where you have your generated keys, but that is just used for signing.
gpg: WARNING: unsafe ownership on homedir '/etc/portage/gnupg'
For validation gpg is using that path as homedir, so your public key needs to be available there (plus you should probably fix the permissions to avoid that warning and the error later on). |
|
Back to top |
|
|
vthriller n00b
Joined: 20 May 2024 Posts: 5
|
Posted: Tue May 28, 2024 6:22 am Post subject: |
|
|
Genone wrote: | For validation gpg is using that path as homedir, so your public key needs to be available there |
Makes sense, thanks. It still took quite some time to make it working, but to summarize:
Code: |
# gpg --output - --export 0xB9FE342E12D2B962 | gpg --homedir /etc/portage/gnupg --import -
# cat /etc/portage/gnupg/pass
(here goes password used later on lsign stage)
# gpg --homedir /etc/portage/gnupg --edit-key 0xB9FE342E12D2B962
gpg> trust
...
4 = I trust fully
...
Your decision? 4
gpg> lsign
...
Really sign? (y/N) y
... enter password from above ...
gpg> save
# gpg --homedir /etc/portage/gnupg --check-trustdb
# emerge whatever
|
Or I guess I could've just generated key with --homedir /etc/portage/gnupg, used that as BINPKG_GPG_SIGNING_GPG_HOME, and saved time by avoiding importing and trust level juggling.
Genone wrote: | (plus you should probably fix the permissions to avoid that warning and the error later on). |
Funny thing is, getuto is what's actually creating /etc/portage/gnupg as root:root 755. I guess I should file a bug to make it 700 nobody: by default, even though that's just a warning that doesn't affect anything wrt what I was trying to accomplish. (In fact, I just regenerated that homedir and now I can't find any mentions of /etc/portage/gnupg in the logs, even though permissions are still suboptimal.) |
|
Back to top |
|
|
niderecha n00b
Joined: 10 Nov 2024 Posts: 17
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|