View previous topic :: View next topic |
Author |
Message |
reddragon n00b
Joined: 04 Apr 2017 Posts: 24
|
Posted: Tue Apr 25, 2017 12:37 pm Post subject: Snapshot verification during installation. |
|
|
i would like to verify the ebuild snapshot during installation.
i will download the latest snapshot to a usb flash and verify it before starting the intall process.
then extract it using
Code: | tar xvjf portage-latest.tar.bz2 -C usr |
are my tar switches ok?
Last edited by reddragon on Tue Apr 25, 2017 11:34 pm; edited 1 time in total |
|
Back to top |
|
|
cboldt Veteran
Joined: 24 Aug 2005 Posts: 1046
|
Posted: Tue Apr 25, 2017 1:25 pm Post subject: |
|
|
If they aren't okay, the worst that happens is no extraction, or extraction to a place you didn't intend.
You don't give enough information to allow a conclusion about "right place," and that command will fail if the tarball is not in the ${PWD}, "present working directory". You command will also fail if there is no directory "usr" off your ${PWD} |
|
Back to top |
|
|
reddragon n00b
Joined: 04 Apr 2017 Posts: 24
|
Posted: Tue Apr 25, 2017 2:06 pm Post subject: |
|
|
sorry full commands are
Code: | mkdir /mnt/usb
mount /dev/sdc1 /mnt/usb
cd /mnt/usb
tar xvjf portage-latest.tar.bz2 -C /usr |
this should replace these sections of the handbook
Code: | https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base#Installing_an_ebuild_repository_snapshot_from_the_web
and
https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base#Optional:_Updating_the_Gentoo_ebuild_repository |
|
|
Back to top |
|
|
cboldt Veteran
Joined: 24 Aug 2005 Posts: 1046
|
Posted: Tue Apr 25, 2017 2:21 pm Post subject: |
|
|
For what it's worth, I usually extract by first making ${PWD} where I want the extracted files to end up; then using the full path/filename for the tarball. In other words, I never use the "-C" switch.
Before extracting, I check to make sure the tarball structure will land in the right place, relative to ${PWD}, with `tar tf /full/path/to/tarball.tar`
I think either way works, your "-C /usr", or my way `cd /usr; tar xf /path/to/portage-latest.tar.bz2` --- assuming you want the portage tree to begin at /usr/portage that is.
Somewhere along the line, tar got smartened up, so the "j" or "z" parameters informing tar it is dealing with a bzipped or gzipped file are no longer required. The "v" parameter isn't necessary, and for a tarball with thousands of files, like the gentoo-latest, I would not use it. It doesn't hurt anything, just slows things down ever so slightly. |
|
Back to top |
|
|
reddragon n00b
Joined: 04 Apr 2017 Posts: 24
|
Posted: Tue Apr 25, 2017 2:38 pm Post subject: |
|
|
i dont have a running gentoo yet
"/usr/portage" is the default location? |
|
Back to top |
|
|
cwr Veteran
Joined: 17 Dec 2005 Posts: 1969
|
Posted: Tue Apr 25, 2017 2:46 pm Post subject: |
|
|
Start with the handbook (there are offline versions):
Code: |
https://wiki.gentoo.org/wiki/Handbook:Main_Page
|
In brief, switch to the partition which you will use for your root filesystem
and unpack the appropriate Stage 3 file. Then switch to the new /usr
directory, and unpack the portage snapshot.
Will |
|
Back to top |
|
|
cboldt Veteran
Joined: 24 Aug 2005 Posts: 1046
|
Posted: Tue Apr 25, 2017 2:52 pm Post subject: |
|
|
Yes, the portage tree (list of ebuild files, checksups, etc.) is defaulted to /usr/portage
If your gentoo is not running, but you have booted into some other system, the other system has no doubt taken up residence at /usr
There is more than one way to handle this condition. What will become the new Gentoo install is mounted "elsewhere" relative to the running system. A common location is for what will become the new Gentoo install is /mnt/gentoo
Not knowing exactly where you are at in this install, maybe you have made what will become the new Gentoo install your root directory already, with `chroot /mnt/gentoo /bin/bash` or similar, in which case (the chrooted environment) "/usr" is the correct destination for the portage tree. |
|
Back to top |
|
|
reddragon n00b
Joined: 04 Apr 2017 Posts: 24
|
Posted: Tue Apr 25, 2017 3:01 pm Post subject: |
|
|
yes i plan to do this inside the new gentoo chroot enviroment as per the handbook.
but instead of dowloading the snapshot i will use the verifed one from usb flash. |
|
Back to top |
|
|
reddragon n00b
Joined: 04 Apr 2017 Posts: 24
|
Posted: Tue Apr 25, 2017 3:07 pm Post subject: |
|
|
cwr
i will look at your link
its not realy an offline install though just want to verify snapshot like webrsync-gpg does |
|
Back to top |
|
|
cboldt Veteran
Joined: 24 Aug 2005 Posts: 1046
|
Posted: Tue Apr 25, 2017 3:10 pm Post subject: |
|
|
You're on your way then. It'll work, you're on the right track.
I just now, based on this thread, downloaded a portage tree snapshot. It's "install directory" is "portage", so if the tarball is extracted from ${PWD}=/usr, the contents of the tarball populate "/usr/portage" I believe the same thing happens if you use "-C /usr" from anywhere. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Apr 25, 2017 7:47 pm Post subject: |
|
|
emerge-webrsync leaves the tarball in $DISTFILES. You can do your gpg/sha256 verification on that manually, if you don't want to use webrsync-gpg. |
|
Back to top |
|
|
reddragon n00b
Joined: 04 Apr 2017 Posts: 24
|
Posted: Tue Apr 25, 2017 10:42 pm Post subject: Validated Gentoo repository snapshots during installation |
|
|
This guide will help you to download and validate a repository snapshot while installing Gentoo.
It was writen for the AMD64 version of the handbook but should be relevant to other architectures.
A quote from the Gentoo handbook on validated gentoo repository snapshots found here.
Quote: | This ensures that no rogue rsync mirror is adding unwanted code or packages to the tree the system is downloading. |
These steps can be followed once you have completed the "Downloading the stage tarball" section of the handbook.
Code: | https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Stage#Downloading_the_stage_tarball |
Chose a mirror near you
Code: | https://www.gentoo.org/downloads/mirrors/ |
Download the snapshot, gpgsig and md5sum.
Code: | wget https://mirrors.evowise.com/gentoo/snapshots/portage-latest.tar.bz2{,.gpgsig,.md5sum} |
Download the snapshot keys.
Code: | gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys 0xDB6B8C1F96D8BF6D |
Verify the gpg signiture.
Code: | gpg --verify portage-latest.tar.bz2.gpgsig portage-latest.tar.bz2 |
Verify the md5sum.
Code: | md5sum -c portage-latest.tar.bz2.md5sum |
Then instead of following the sections "Installing an ebuild repository snapshot from the web" and "Updating the Gentoo ebuild repository".
Code: | https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base#Installing_an_ebuild_repository_snapshot_from_the_web
https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base#Optional:_Updating_the_Gentoo_ebuild_repository |
Extract the snapshot.
Code: | tar xvjf portage-latest.tar.bz2 -C usr |
Remove the cruft.
Code: | rm portage-latest.* |
Then follow the handbook as normal. After installation is complete, follow the instructions here to enable verification of future updates.
Code: | https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Gentoo_repository_snapshots |
Last edited by reddragon on Wed Apr 26, 2017 2:39 pm; edited 7 times in total |
|
Back to top |
|
|
reddragon n00b
Joined: 04 Apr 2017 Posts: 24
|
Posted: Tue Apr 25, 2017 10:43 pm Post subject: |
|
|
mods should i update the first post? |
|
Back to top |
|
|
reddragon n00b
Joined: 04 Apr 2017 Posts: 24
|
Posted: Tue Apr 25, 2017 10:44 pm Post subject: |
|
|
Ant P. wrote: | emerge-webrsync leaves the tarball in $DISTFILES. You can do your gpg/sha256 verification on that manually, if you don't want to use webrsync-gpg. |
i didnt think you could do webrsync-gpg during install. how do you do it? |
|
Back to top |
|
|
R0b0t1 Apprentice
Joined: 05 Jun 2008 Posts: 264
|
Posted: Wed Apr 26, 2017 11:16 pm Post subject: |
|
|
The installation CD comes with GnuPG, what I usually do is download the portage snapshot and verify it from outside of the chroot. Then enter the chroot, set up make.conf so that webrsync-gpg is used, and emerge GnuPG and the Gentoo keyrings. |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Wed Apr 26, 2017 11:37 pm Post subject: |
|
|
reddragon wrote: | Ant P. wrote: | emerge-webrsync leaves the tarball in $DISTFILES. You can do your gpg/sha256 verification on that manually, if you don't want to use webrsync-gpg. |
i didnt think you could do webrsync-gpg during install. how do you do it? |
It only needs the signing keys to be present in $PORTAGE_GPG_DIR. It doesn't care how they get there; you don't need to emerge gentoo-keys first. |
|
Back to top |
|
|
reddragon n00b
Joined: 04 Apr 2017 Posts: 24
|
Posted: Thu May 11, 2017 1:06 am Post subject: |
|
|
Ant P. wrote: | reddragon wrote: | Ant P. wrote: | emerge-webrsync leaves the tarball in $DISTFILES. You can do your gpg/sha256 verification on that manually, if you don't want to use webrsync-gpg. |
i didnt think you could do webrsync-gpg during install. how do you do it? |
It only needs the signing keys to be present in $PORTAGE_GPG_DIR. It doesn't care how they get there; you don't need to emerge gentoo-keys first. |
I dont think this will work because, gpg in not included in the default gentoo install. |
|
Back to top |
|
|
|