[gentoo-user] syncing via via git and signature failure

[Bill Kenworthy]

I am using git to sync portage and have added  the enabling line to
repos.conf:

"sync-git-verify-commit-signature = true"

but only ever get (been enabled for a week now):

* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys from keyserver ...                                   
[ ok ]
 * No valid signature found: unable to verify signature (missing key?)

Is there something else needed?  I do have
app-crypt/openpgp-keys-gentoo-release installed and updated.

BillK

[Adam Carter]

I use rsync and get the following for more than a day now;

!!! Manifest verification failed:
OpenPGP verification failed:
gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
gpg: Can't check signature: No public key

[Alex Thorne]

I use rsync and get the following for more than a day now;

!!! Manifest verification failed:
OpenPGP verification failed:
gpg: Signature made Wed 04 Jul 2018 04:08:28 AM UTC
gpg:                using RSA key E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
gpg: Can't check signature: No public key

I'm seeing this too. For me `app-crypt/gentoo-keys` is somehow no longer installed and `/var/lib/gentoo/gkeys` is missing. I have no idea how this happened. Perhaps it somehow got into `emerge --depclean` and I didn't catch it.

Alex 

[Mick]

I use good ol' rsync, because git creates too big a local portage for my disk
space requirements.

I came across the same problem today, after noticing the sync was hanging for
a few minutes at:

>>> Syncing repository 'gentoo' into '/usr/portage'...

* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys from keyserver ...

I'm guessing it was trying to connect to a key server and failing. Eventually
it continued, then sync'ed with a mirror and then arrived at the same "no
public key" error. Having waited for 15 years to arrive at a more secure
method of validating the portage content, the need to sort out the
infrastructure to support this shouldn't hopefully take too long.

Are there any news how/when this problem may be overcome?
--
Regards,
Mick

[gevisz]

No. Gentoo maintainers just overlooked that all Gentoo signing keys expired
on July 1, and added new openpgp-keys-gentoo into portage tree only on July 2.

So, since July 1, rsync cannot verify any new portage tree and cannot download
app-crypt/openpgp-keys-gentoo-release-20180702

It was discovered in the thread
"All Gentoo signing key expired and no way to fix it"

[Mick]

Is there a documented manual workaround we could follow at present,
irrespective of our sync'ing mechanism of choice?

--
Regards,
Mick

[gevisz]

For me, it somehow worked by manually refreshing the Gentoo signing keys by
executing the following two commands:
# gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys
# gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0xDB6B8C1F96D8BF6D
in different order and sourcing /etc/profile

But, please, note that I use emerge-webrsync to update the portage tree.

[Mick]

Thanks gevisz, the first line to refresh keys fails, because in /var/lib/
gentoo/ I only have a news/ subdirectory.

Interestingly, I already have app-crypt/openpgp-keys-gentoo-release installed,
but still get 'gpg: Can't check signature: No public key' error when running
rsync.

--
Regards,
Mick

[Bill Kenworthy]

I believe the internal mechanisms are different between git and rsync. 
Ive tried manually updating the keys with no luck.


BillK

[Floyd Anderson]

On Wed, 04 Jul 2018 23:25:16 +0100
Mick <michael...@gmail.com> wrote:
>
>Thanks gevisz, the first line to refresh keys fails, because in /var/lib/
>gentoo/ I only have a news/ subdirectory.
>
>Interestingly, I already have app-crypt/openpgp-keys-gentoo-release installed,
>but still get 'gpg: Can't check signature: No public key' error when running
>rsync.

For me, using the keys from package:

app-crypt/openpgp-keys-gentoo-release-20180703 [1]

and running gemato with those:

# gemato verify -K /tmp/gentoo-release.asc.20180703 /usr/portage/

solves the issue. Afterwards I was able to update (pulls and install the
new version app-crypt/openpgp-keys-gentoo-release-20180703).

Hope that helps.


References:

- [1] <https://dev.gentoo.org/~mgorny/dist/openpgp-keys/gentoo-release.asc.20180703.gz>



--
Regards,
floyd

[methylherd]

I had the same error (no public key) and fixed it today with a simple
re-emerge. After that, sync runs without a problem.

Your keyfile location depends on the way you sync (git,rsync,webrsync).
There is a nice wiki page for this.[1]

I use portage with rsync, so I don't need app-crypt/gentoo-keys which
should install the keyring for webrsync.

First, i moved /usr/share/openpgp-keys/gentoo-release.asc, looked for
the right key id, fetched the key from the keyserver, there was no
difference because the Key ID published on gentoo.org is too old :-D


After updating
=app-crypt/openpgp-keys-gentoo-release-20180702

=app-crypt/openpgp-keys-gentoo-release-20180703


I've no clue why portage uses a key for only 1 day, but - everything
works :-)


[1] https://wiki.gentoo.org/wiki/Portage_Security

[John Covici]

I got the following when running your command:

gemato verify -K /tmp/gentoo-release.asc.20180703 /usr/portage/

INFO:root:Refreshing keys from keyserver...
INFO:root:Keys refreshed.
ERROR:root:Top-level Manifest not found in /usr/portage/

How can I fix, or do I need to fix?

Thanks.

--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?

John Covici wb2una
cov...@ccs.covici.com

[gevisz]

It seems that everything is explained in
https://wiki.gentoo.org/wiki/Portage_Security
(This link was first provided in this thread by methylherd.)

>> For me, it somehow worked by manually refreshing the Gentoo signing keys by
>> executing the following two commands:
>> # gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --refresh-keys
>> # gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys
>> 0xDB6B8C1F96D8BF6D in different order and sourcing /etc/profile
>>
>> But, please, note that I use emerge-webrsync to update the portage tree.
>
> Thanks gevisz, the first line to refresh keys fails, because in /var/lib/
> gentoo/ I only have a news/ subdirectory.

Interestingly, it was the second line that seemed to fail in my case.
(I was in a hurry and executed it so many times, so that I cannot
say if for sure.)

But, as it has already been pointed out by Bill Kenworthy and
explained in https://wiki.gentoo.org/wiki/Portage_Security ,
the internal mechanisms for checking Gentoo signatures
are different between git, rsync and webrsync.

[Floyd Anderson]

On Wed, 04 Jul 2018 22:57:05 -0400
John Covici <cov...@ccs.covici.com> wrote:
>
>I got the following when running your command:
>gemato verify -K /tmp/gentoo-release.asc.20180703 /usr/portage/
>INFO:root:Refreshing keys from keyserver...
>INFO:root:Keys refreshed.

To be more specific, I wasn't interested in verifying the tree. My main
goal was to get:

INFO:root:Keys refreshed.

because my sync/update script hung at:

INFO:root:Refreshing keys from keyserver...

all the time, caused by:

gpg: Can't check signature: No public key

result, so I wasn't able to update.

>ERROR:root:Top-level Manifest not found in /usr/portage/
>
>How can I fix, or do I need to fix?

I've no idea why your portage tree doesn't have a top-level Manifest
file (assuming "/usr/portage" is the location of your tree), but it
should be created/updated on next syncing.


--
Regards,
floyd

[Bill Kenworthy]

I still have this error and  Ive tried a number of things including:

gemato create -p ebuild -K /usr/share/openpgp-keys/gentoo-release.asc
/usr/portage/

next emerge --sync error-ed on a lot of private manifest files but
missing toot manifest error disappeared.  Deleted them and successfully
resynced.

olympus /usr/portage # gemato verify -s -K
/usr/share/openpgp-keys/gentoo-release.asc /usr/portage/

INFO:root:Refreshing keys from keyserver...
INFO:root:Keys refreshed.

ERROR:root:Top-level Manifest /usr/portage/Manifest is not OpenPGP signed
olympus /usr/portage #

also did a "git reset --hard"

still get:

olympus /usr/portage # emerge --sync

>>> Syncing repository 'gentoo' into '/usr/portage'...

/usr/bin/git pull
Already up to date.

 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys from keyserver
...                                                                                                                                                
[ ok ]
 * No valid signature found: unable to verify signature (missing key?)

q: Updating ebuild cache in /usr/portage ...


BillK

[Floyd Anderson]

Hi Bill,

please be aware of the context of my response to Mick. He use *rsync*
and so do I. It seems you are using Git and thus, a different tree
verification mechanism. I don't know why you have gemato installed,
because it comes usually only with sys-apps/portage[rsync-verify] set
and is only related to *rsync* therefore.

Have a look at:

- [1] <https://www.gentoo.org/glep/glep-0074.html>
- [2] <https://www.gentoo.org/support/news-items/2018-01-30-portage-rsync-verification.html>
- [3] <https://wiki.gentoo.org/wiki/Portage_Security>

for some further information. Maybe:

$ git status --untracked-files

within your tree location can help to identify and sanitise the tree
from any of your (with gemato) created files.


--
Regards,
floyd

[Bill Kenworthy]

Brings up all the manifest files so I'll clean them out, resync and
see.  I do have rsync-verify set but I would not have thought that the
problem.  The system was converted to git syncing (by deletion and
recreating) soon after git became available so it could be something
ancient is the cause.  None of the docs I have examined seem to cover
portage and git problems very well.


BillK