Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] sks-key-poisoning news
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
xanderal
Tux's lil' helper
Tux's lil' helper


Joined: 06 Mar 2019
Posts: 129
Location: Germany

PostPosted: Sat Jul 13, 2019 10:51 pm    Post subject: [SOLVED] sks-key-poisoning news Reply with quote

Hi,
sorry, just want to make sure I understand this correctly: https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html
As far as I understand this I've got nothing to worry about and can just emerge --sync, correct?
This is my /etc/portage/repos.conf:
Code:
[DEFAULT]
main-repo = gentoo
sync-allow-hardlinks = yes

[gentoo]
location = /usr/portage
#sync-type = webrsync
sync-type = rsync
sync-uri = rsync://rsync.gentoo.org/gentoo-portage
sync-webrsync-verify-signature = true
auto-sync = yes
sync-rsync-verify-jobs = 1
sync-rsync-verify-metamanifest = yes
sync-rsync-verify-max-age = 24
sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-release.asc
sync-openpgp-key-refresh-retry-count = 40
sync-openpgp-key-refresh-retry-overall-timeout = 1200
sync-openpgp-key-refresh-retry-delay-exp-base = 2
sync-openpgp-key-refresh-retry-delay-max = 60
sync-openpgp-key-refresh-retry-delay-mult = 4

# for daily squashfs snapshots
#sync-type = squashdelta
#sync-uri = mirror://gentoo/../snapshots/squashfs

But then there is that part at the end:
https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html wrote:
The webrsync and delta-webrsync methods also support gemato, although it is not used by default at the moment. In order to use it, you need to remove PORTAGE_GPG_DIR from /etc/portage/make.conf (if it present) and put the following values into /etc/portage/repos.conf:
Code:
[gentoo]
sync-type = webrsync
sync-webrsync-delta = true  # false to use plain webrsync
sync-webrsync-verify-signature = true

Afterwards, calling emerge --sync or emaint sync --repo gentoo will use gemato key management rather than the vulnerable legacy method. The default is going to be changed in a future release of Portage.

Should I do that now or should I just wait for the next portage version or emerge-webrsync or what?
Sorry, usually I have no problem understanding news like that but that article just confuses me...
Thanks in advance.


Last edited by xanderal on Wed Jul 17, 2019 5:50 pm; edited 1 time in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44900
Location: 56N 3W

PostPosted: Sun Jul 14, 2019 9:31 am    Post subject: Reply with quote

xanderal,

Its safe to do it now and it prevents you from picking up a poisoned key if Gentoo distro keys were attacked.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
xanderal
Tux's lil' helper
Tux's lil' helper


Joined: 06 Mar 2019
Posts: 129
Location: Germany

PostPosted: Sun Jul 14, 2019 7:07 pm    Post subject: Reply with quote

NeddySeagoon wrote:
xanderal,

Its safe to do it now and it prevents you from picking up a poisoned key if Gentoo distro keys were attacked.

Ok, got to be real nooby here and ask for clarification: What is "it"?
emerge --sync?
emerge-webrsync?
change of repos.conf and then emerge --sync?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44900
Location: 56N 3W

PostPosted: Sun Jul 14, 2019 9:05 pm    Post subject: Reply with quote

xanderal,

It changes how Gentoo keys are delivered to you.

Make the configuration change, then nothing.
Next time you use either webrsync or delta-webrsync, it will use the gemato distributed keys.

If you use neither webrsync or delta-webrsync, there is noting you need do.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
xanderal
Tux's lil' helper
Tux's lil' helper


Joined: 06 Mar 2019
Posts: 129
Location: Germany

PostPosted: Wed Jul 17, 2019 6:36 pm    Post subject: Reply with quote

Ok, just in case anyone else wants to know:
Just synced with 'emerge --sync' without changing the config, everything worked well, update afterwards, too.
So, thanks NeddySeagoon again ;)
Back to top
View user's profile Send private message
mrbassie
Guru
Guru


Joined: 31 May 2013
Posts: 578

PostPosted: Thu Jul 18, 2019 11:18 am    Post subject: Reply with quote

I'm getting the following output from emerge --sync
Code:
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
gpg:                 aka "Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org>" [unknown]
gpg: WARNING: Using untrusted key!


Should I be concerned?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum