Portage snapshot signing key expired again

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Portage snapshot signing key expired again

gevisz
Just tonight I tried to update my portage snapshot
by emerge-webrsync command and found out that
the portage snapshot signing key expired again
without being properly updated by app-crypt/gentoo-keys
update before its expiration as described here:
https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots

On the other side, app-crypt/gkeys is marked by ~
in my architecture (amd64). So, it is impossible
to update the portage snapshot signing key without
using non-recommended package.

The same situation happened just half a year ago.

Is it only me who thinks that Gentoo must care more about security?

Reply | Threaded
Open this post in threaded view
|

Re: Portage snapshot signing key expired again

Rich Freeman
On Wed, Jan 9, 2019 at 6:21 AM gevisz <[hidden email]> wrote:
>
> Just tonight I tried to update my portage snapshot
> by emerge-webrsync command and found out that
> the portage snapshot signing key expired again
> without being properly updated by app-crypt/gentoo-keys
> update before its expiration as described here:
> https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots

So, a few issues there.  Gentoo-keys isn't used to validate portage
snapshots.  On my system emerge --sync checks them with
/usr/share/openpgp-keys/gentoo-release.asc which is part of
app-crypt/openpgp-keys-gentoo-release.  The keys in this file don't
expire until July 2019 at the earliest.

> On the other side, app-crypt/gkeys is marked by ~
> in my architecture (amd64). So, it is impossible
> to update the portage snapshot signing key without
> using non-recommended package.

Then don't use that package.  It isn't needed to verify signing keys.  :)

>
> The same situation happened just half a year ago.
>
> Is it only me who thinks that Gentoo must care more about security?
>

You might want to investigate a bit more before pointing fingers...

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Portage snapshot signing key expired again

gevisz
ср, 9 янв. 2019 г. в 19:36, Rich Freeman <[hidden email]>:

>
> On Wed, Jan 9, 2019 at 6:21 AM gevisz <[hidden email]> wrote:
> >
> > Just tonight I tried to update my portage snapshot
> > by emerge-webrsync command and found out that
> > the portage snapshot signing key expired again
> > without being properly updated by app-crypt/gentoo-keys
> > update before its expiration as described here:
> > https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots
>
> So, a few issues there.  Gentoo-keys isn't used to validate portage
> snapshots.  On my system emerge --sync checks them with
> /usr/share/openpgp-keys/gentoo-release.asc which is part of
> app-crypt/openpgp-keys-gentoo-release.  The keys in this file don't
> expire until July 2019 at the earliest.
>
> > On the other side, app-crypt/gkeys is marked by ~
> > in my architecture (amd64). So, it is impossible
> > to update the portage snapshot signing key without
> > using non-recommended package.
>
> Then don't use that package.  It isn't needed to verify signing keys.  :)
>
> > The same situation happened just half a year ago.
> >
> > Is it only me who thinks that Gentoo must care more about security?
> >
>
> You might want to investigate a bit more before pointing fingers...

Ok, not app-crypt/gentoo-keys package but
app-crypt/openpgp-keys-gentoo-release package.

Does it matter?

The fact is that today emerge-webrsync said me that the
protage snapshot signing key expired and because of it
it cannot download and verify the daily portage snapshot.

I had no choice than to install app-crypt/gkeys package
and use it to get new portage snapshot signing keys.

Only after that emerge-webrsync finally was able to
download and verify the daily portage snapshot.

After that I have found out that a new
app-crypt/openpgp-keys-gentoo-release package
was released on 2 January 2019 when the previous
portage signing keys already expired.

The similar situation was just a half year ago.

To add to it, the following bug with Gentoo documentation
I have posted yet on 24 November 2018 is still unfixed:
https://bugs.gentoo.org/671816

Just to remind, the said bug is about the fact that it is
impossible to install Gentoo the way as it is described
in the Gentoo Handbook just because the same
emerge-webrsync cannot download and verify the
daily portage snapshot just after stage3 is untarred.

What else shall I "investigate" before stating that
Gentoo neglects security issues?

No wonder that Gentoo GitHub account was also hacked last year!

Reply | Threaded
Open this post in threaded view
|

Re: Portage snapshot signing key expired again

Rich Freeman
On Wed, Jan 9, 2019 at 2:38 PM gevisz <[hidden email]> wrote:

>
> ср, 9 янв. 2019 г. в 19:36, Rich Freeman <[hidden email]>:
> >
> > On Wed, Jan 9, 2019 at 6:21 AM gevisz <[hidden email]> wrote:
> > >
> > > On the other side, app-crypt/gkeys is marked by ~
> > > in my architecture (amd64). So, it is impossible
> > > to update the portage snapshot signing key without
> > > using non-recommended package.
> Ok, not app-crypt/gentoo-keys package but
> app-crypt/openpgp-keys-gentoo-release package.
>
> Does it matter?

Sure, because you brought up issues with unrelated packages, like
stable/unstable keywords, which aren't actually problems.

> After that I have found out that a new
> app-crypt/openpgp-keys-gentoo-release package
> was released on 2 January 2019 when the previous
> portage signing keys already expired.

You probably should have led with that.  Seems like an actual issue.
Or at least lead with "I have this problem - what should I do?" and
not basically starting out by accusing everybody of not caring about
security.

Really, though, an expired key fails safe - it blocks updates and
doesn't cause you to install insecure ones.  That is certainly how I'd
prefer that it behaves.  Sure, it would be better if keys were updated
before they expire, but I tend to doubt that your email is going to do
much to fix that.

I don't use webrsync which is probably why I didn't personally notice
this issue - I'm guessing it uses a different key than git but I
haven't checked.

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Portage snapshot signing key expired again

gevisz
ср, 9 янв. 2019 г. в 22:17, Rich Freeman <[hidden email]>:

>
> On Wed, Jan 9, 2019 at 2:38 PM gevisz <[hidden email]> wrote:
> >
> > ср, 9 янв. 2019 г. в 19:36, Rich Freeman <[hidden email]>:
> > >
> > > On Wed, Jan 9, 2019 at 6:21 AM gevisz <[hidden email]> wrote:
> > > >
> > > > On the other side, app-crypt/gkeys is marked by ~
> > > > in my architecture (amd64). So, it is impossible
> > > > to update the portage snapshot signing key without
> > > > using non-recommended package.
> > Ok, not app-crypt/gentoo-keys package but
> > app-crypt/openpgp-keys-gentoo-release package.
> >
> > Does it matter?
>
> Sure, because you brought up issues with unrelated packages, like
> stable/unstable keywords, which aren't actually problems.
>
> > After that I have found out that a new
> > app-crypt/openpgp-keys-gentoo-release package
> > was released on 2 January 2019 when the previous
> > portage signing keys already expired.
>
> You probably should have led with that.  Seems like an actual issue.
> Or at least lead with "I have this problem - what should I do?" and
> not basically starting out by accusing everybody of not caring about
> security.
>
> Really, though, an expired key fails safe - it blocks updates and
> doesn't cause you to install insecure ones.  That is certainly how I'd
> prefer that it behaves.  Sure, it would be better if keys were updated
> before they expire, but I tend to doubt that your email is going to do
> much to fix that.

I had an impression that you are a member of the Gentoo council.
Now I have checked this and found out that you are not. So, I should
agree with you that this my e-mail probably will not do much to fix
the issue (especially the one with the bug). So, I should probably
sent a similar e-mail to all Gentoo council members.

> I don't use webrsync which is probably why I didn't personally notice
> this issue - I'm guessing it uses a different key than git but I
> haven't checked.

Yes, they uses different ways of verifying the snapshots.