View previous topic :: View next topic |
Author |
Message |
bibl4 n00b
Joined: 07 Jan 2005 Posts: 26 Location: Switzerland
|
Posted: Mon Nov 06, 2006 5:50 pm Post subject: Question about gpg in make.conf features [Closed] |
|
|
Dear all
I would like to activate 'gpg' FEATURE in make.conf
I tried to get gentoo.gpg at http://dev.gentoo.org/~carpaski/gpg without success (page not found error)
Accordingly gentoo developpers list, carpaski seems to have left gentoo...
I furthermore tryied to find any tips about finding the missing file without any success (documentation and forums).
Q1: I noticed gpg feature is experimental. But is it still available, useable, up to date (i.e: status) ?
Q2: How do a user get the gentoo.gpg keys ?
Q3: Is there any documentation about using this feature (no PORTAGE_GPG_[KEY|DIR] variable
referenced either in make.conf or portage manual) ?
Many thank's for your tips
Kindest regards
bib
Last edited by bibl4 on Fri Nov 17, 2006 11:30 am; edited 1 time in total |
|
Back to top |
|
|
PMcCauley Apprentice
Joined: 14 Mar 2006 Posts: 283 Location: Alberta, Canada
|
|
Back to top |
|
|
kadeux Tux's lil' helper
Joined: 21 Nov 2005 Posts: 103
|
Posted: Tue Nov 07, 2006 1:47 am Post subject: Re: Question about gpg in make.conf features |
|
|
bibl4 wrote: |
Q2: How do a user get the gentoo.gpg keys ? |
/usr/lib/portage/bin/portage_gpg_update.sh
HTH |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9611 Location: beyond the rim
|
Posted: Tue Nov 07, 2006 1:21 pm Post subject: |
|
|
Don't use it. It's useless, unmaintained and likely broken. |
|
Back to top |
|
|
bibl4 n00b
Joined: 07 Jan 2005 Posts: 26 Location: Switzerland
|
Posted: Tue Nov 07, 2006 1:54 pm Post subject: |
|
|
After having reworked portage setup with gpg till i could run an 'emerge --info' without troubles,
i got the tip of genone ...
End of the story (you may have a look on the developper list if you don't belive it)
Anyway many thanks to all of you for your tips |
|
Back to top |
|
|
kadeux Tux's lil' helper
Joined: 21 Nov 2005 Posts: 103
|
Posted: Wed Nov 08, 2006 2:30 am Post subject: |
|
|
Some statistics for my desktop computer:
464 Packages installed
214 of the 464 installed Packages have a signed Manifest (approx. 46%)
39 different keys are used for signing these 214 Manifest files
Most of the software used for a server/router/firewall have a signature file on the project homepage to check the source tarball. Maybe you go that way to verify the installation data manually before emerging. |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9611 Location: beyond the rim
|
Posted: Wed Nov 08, 2006 8:36 am Post subject: |
|
|
kadeux wrote: | Most of the software used for a server/router/firewall have a signature file on the project homepage to check the source tarball. Maybe you go that way to verify the installation data manually before emerging. |
That only gives your a partial security though as you're only making sure that the primary sources are authentic. It won't protect you from malicious ebuilds or patches from a hacked rsync server (which is/was the main goal of Manifest signing). Just mentioning it so people don't get a false feeling of security when they go that way. |
|
Back to top |
|
|
kadeux Tux's lil' helper
Joined: 21 Nov 2005 Posts: 103
|
Posted: Wed Nov 08, 2006 2:10 pm Post subject: |
|
|
Genone wrote: | That only gives your a partial security though as you're only making sure that the primary sources are authentic. It won't protect you from malicious ebuilds or patches from a hacked rsync server (which is/was the main goal of Manifest signing). |
Agreed.
Genone wrote: | Just mentioning it so people don't get a false feeling of security when they go that way. |
I've wanted to keep my last posts short, but you are right, they may be misleading. Manually checking the source tarballs additionally to manually checking the already signed Manifest files in the tree was meant as an *insufficient* alternative to the (in the current state) even more insufficient automatic checking with the gpg feature in make.conf, which is not ready yet. It was only mentioned as a piece of one layer out of more security layers that we (we = the system administrators of our own computers) could implement. And people must understand that they will *never* be 100% secure, because something like "absolute secure" does not exist in real life. The "Portage and Programming" forum may not be the right place to start a discussion about all the other security layers, so let us look at the state of portage, the portage tree and the signing of Manifest files and Portage snapshots.
If you want to check if the version of a snapshot of the portage tree on a mirror is identical to the version of the tree on the main server at a given reference time, you can use emerge-delta-webrsync to build an identical version of the signed daily portage snapshot. After syncing (and before emerging) you can check the new created tarball with the *.gpgsig and *.md5sum and *.umd5sum found on the mirrors. (You can also use emerge-webrsync and download the daily snapshot directly, but using emerge-delta-webrsync is faster and reduces the load for the mirrors). And to reduce the risk of a hacked mirror, you could download the signature and the patches from different mirrors. Of course this could not protect you from malicious files from a hacked main server.
Genone: I remember that you are involved in the discussion about a policy for handling gpg signing in portage back in 2004. Can you give some informations about possible plans or a roadmap for further implementation of this feature in the future? |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9611 Location: beyond the rim
|
Posted: Wed Nov 08, 2006 2:14 pm Post subject: |
|
|
kadeux wrote: | Genone: I remember that you are involved in the discussion about a policy for handling gpg signing in portage back in 2004. Can you give some informations about possible plans or a roadmap for further implementation of this feature in the future? |
AFAIK Robin is currently working on a new proposal for it, haven't seen anything about it though other than various questions/comments regarding the Manifest2 format/implementation. For me, I've always waited for someone to actually define and implement a key policy, but nobody ever did. |
|
Back to top |
|
|
bibl4 n00b
Joined: 07 Jan 2005 Posts: 26 Location: Switzerland
|
Posted: Tue Nov 14, 2006 10:23 am Post subject: |
|
|
Wow!
Thank's again to kadeux and genone for the incredible competent answers to my questions.
This is stuff we can work with
Kindest regards |
|
Back to top |
|
|
|