View previous topic :: View next topic |
Author |
Message |
wenzi Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
Joined: 18 Jan 2019 Posts: 106
|
Posted: Sun Aug 04, 2019 3:33 am Post subject: emerge --sync error |
|
|
I install gentoo follow the wiki, at this step emerge-webrsync,it's OK but emerge --sync, I get this error
OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: General error
sorry for my poor English. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
commie1337 n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 04 Aug 2019 Posts: 7
|
Posted: Sun Aug 04, 2019 3:57 am Post subject: |
|
|
I've gotten the exact same error on my recent installs, it doesn't seem to change anything if you proceed with the installation without running the command. Hope that helps . |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
nubiocicarini Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
![](images/avatars/13535895435c795c9f330e5.jpg)
Joined: 20 Feb 2019 Posts: 80 Location: Brazil
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
mike155 Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Sun Aug 04, 2019 11:58 am Post subject: |
|
|
Many users report problems with tree verification. It doesn't work well on my machines, too.
I therefore recommend to disable it - until developers come up with an better solution.
- Emerge portage without USE flag 'rsync-verify' AND
- Add the lines below to the 'DEFAULT' section of /etc/portage/repos.conf/gentoo.conf:
Code: | sync-rsync-verify-metamanifest = no
sync-allow-hardlinks = no
|
Please look at the 'gentoo' section of the same file. In case there are entries that override the entries you added in step 2, remove them.
EDIT: added item 3 after this post.
Last edited by mike155 on Tue Aug 06, 2019 5:05 pm; edited 1 time in total |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
NeddySeagoon Administrator
![Administrator Administrator](/images/ranks/rank-admin.gif)
![](images/avatars/3946266373f47d606a2db3.jpg)
Joined: 05 Jul 2003 Posts: 54453 Location: 56N 3W
|
Posted: Sun Aug 04, 2019 12:09 pm Post subject: |
|
|
wenzi,
That means that the keys you have cannot be checked for updates.
Its not a problem provided that the keys you have are not expired.
nubiocicarini,
That key poisoning attack does not apply to keys.gentoo.org as it does not sync with the rest of the hkps network and updates to it are restricted too. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
nubiocicarini Tux's lil' helper
![Tux's lil' helper Tux's lil' helper](/images/ranks/rank_rect_1.gif)
![](images/avatars/13535895435c795c9f330e5.jpg)
Joined: 20 Feb 2019 Posts: 80 Location: Brazil
|
Posted: Sun Aug 04, 2019 6:10 pm Post subject: |
|
|
NeddySeagoon wrote: | nubiocicarini,
That key poisoning attack does not apply to keys.gentoo.org as it does not sync with the rest of the hkps network and updates to it are restricted too. |
Why am I having this problem right now? |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
leonchik1976 Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
Joined: 24 Jan 2010 Posts: 326
|
Posted: Sun Aug 04, 2019 6:34 pm Post subject: |
|
|
NeddySeagoon wrote: | wenzi,
That means that the keys you have cannot be checked for updates.
Its not a problem provided that the keys you have are not expired.
nubiocicarini,
That key poisoning attack does not apply to keys.gentoo.org as it does not sync with the rest of the hkps network and updates to it are restricted too. |
It there any way to fix it without disabling verification? |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
NeddySeagoon Administrator
![Administrator Administrator](/images/ranks/rank-admin.gif)
![](images/avatars/3946266373f47d606a2db3.jpg)
Joined: 05 Jul 2003 Posts: 54453 Location: 56N 3W
|
Posted: Sun Aug 04, 2019 6:37 pm Post subject: |
|
|
leonchik1976,
Intermittent failures like that are not a problem, so there is noting to fix.
If it fails every time, that's a problem. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
cmaurand n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 21 Dec 2004 Posts: 42 Location: Biddeford, ME
|
Posted: Mon Aug 05, 2019 12:43 pm Post subject: Giving up |
|
|
I use to run Gentoo all the time. I gave up on it when I couldn't keep it updated due to constantly changing init system. Then I went to Ubuntu server. Ubuntu server has latency issues that I think are related to systemd. So I thought that I would give Gentoo another shot. I need a primary dns server and systemd does not lend itself to actually running a DNS server. it wants to use systemd-resolvd which is just a total piece of garbage. I digress. I've spent several hours getting a system built even with the mistakes in the docs and got around the parts that don't work, like the missing dependencies that need to be installed, but aren't mentioned in the docs.
Then I got to the step "emerge --sync" and got key errors. I've been getting key errors for several days. Apparently I'm not the only one and this problem has been going on for qute a number of months. I give up.
I'm giving up on Gentoo, too. This kind of thing should just work. I shouldn't have to spend hours jumping through hoops to get it to work, either. Especially when the trouble is on the Gentoo end and nothing is getting done to fix this issue. emerge-webrsync works OK, but that is not the preferred method, is it?
I can't be spending this much time just trying to get a headless server running. I've spent hours tracking down this error and that and then got stuck on this and there doesn't seem to be a coherent solution. The Install shouldn't be this difficult and I've been working with Linux for 25 years
--Curtis _________________ Curtis |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
leonchik1976 Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
Joined: 24 Jan 2010 Posts: 326
|
Posted: Mon Aug 05, 2019 2:08 pm Post subject: Re: Giving up |
|
|
cmaurand wrote: | I use to run Gentoo all the time. I gave up on it when I couldn't keep it updated due to constantly changing init system. Then I went to Ubuntu server. Ubuntu server has latency issues that I think are related to systemd. So I thought that I would give Gentoo another shot. I need a primary dns server and systemd does not lend itself to actually running a DNS server. it wants to use systemd-resolvd which is just a total piece of garbage. I digress. I've spent several hours getting a system built even with the mistakes in the docs and got around the parts that don't work, like the missing dependencies that need to be installed, but aren't mentioned in the docs.
Then I got to the step "emerge --sync" and got key errors. I've been getting key errors for several days. Apparently I'm not the only one and this problem has been going on for qute a number of months. I give up.
I'm giving up on Gentoo, too. This kind of thing should just work. I shouldn't have to spend hours jumping through hoops to get it to work, either. Especially when the trouble is on the Gentoo end and nothing is getting done to fix this issue. emerge-webrsync works OK, but that is not the preferred method, is it?
I can't be spending this much time just trying to get a headless server running. I've spent hours tracking down this error and that and then got stuck on this and there doesn't seem to be a coherent solution. The Install shouldn't be this difficult and I've been working with Linux for 25 years
--Curtis |
Agree with you by 100%, and feel the same.
I also have this issue for a several days |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Jaglover Watchman
![Watchman Watchman](/images/ranks/rank-G-2-watchman.gif)
![](images/avatars/179708169458f2999e44e26.gif)
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
NeddySeagoon Administrator
![Administrator Administrator](/images/ranks/rank-admin.gif)
![](images/avatars/3946266373f47d606a2db3.jpg)
Joined: 05 Jul 2003 Posts: 54453 Location: 56N 3W
|
Posted: Mon Aug 05, 2019 3:09 pm Post subject: |
|
|
leonchik1976, cmaurand,
It works from Scotland.
Code: | * Manifest timestamp: 2019-08-05 02:09:02 UTC
* Valid OpenPGP signature found:
* - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
* - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
* - timestamp: 2019-08-05 02:09:02 UTC |
_________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
mike155 Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Mon Aug 05, 2019 3:23 pm Post subject: |
|
|
cmaurand wrote: | I'm giving up on Gentoo, too. |
Guys, don't waste your time with tree verification. Developers chose the wrong algorithms and made a terrible job. Just disable tree verification. See my post above.
Last edited by mike155 on Mon Aug 05, 2019 3:36 pm; edited 1 time in total |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
leonchik1976 Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
Joined: 24 Jan 2010 Posts: 326
|
Posted: Mon Aug 05, 2019 3:27 pm Post subject: |
|
|
mike155 wrote: | Quote: | I'm giving up on Gentoo, too. |
Guys, don't waste your time with tree verification. Developers chose the wrong algorithm and did a terrible job. Just disable tree verification See my post above. |
If i understand correctly - tree verification - is layer of security? or am i wrong? |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
mike155 Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Mon Aug 05, 2019 3:40 pm Post subject: |
|
|
Quote: | If i understand correctly - tree verification - is layer of security? or am i wrong? |
Tree verification can increase security - if (and only if) done correctly.
Just adding some random crypto stuff and frustrating users will lead to the opposite. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
NeddySeagoon Administrator
![Administrator Administrator](/images/ranks/rank-admin.gif)
![](images/avatars/3946266373f47d606a2db3.jpg)
Joined: 05 Jul 2003 Posts: 54453 Location: 56N 3W
|
Posted: Mon Aug 05, 2019 4:54 pm Post subject: |
|
|
mike155,
As always, patches welcome. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
freke Veteran
![Veteran Veteran](/images/ranks/rank_rect_5_vet.gif)
Joined: 23 Jan 2003 Posts: 1006 Location: Somewhere in Denmark
|
Posted: Mon Aug 05, 2019 6:29 pm Post subject: |
|
|
NeddySeagoon wrote: | leonchik1976, cmaurand,
It works from Scotland.
Code: | * Manifest timestamp: 2019-08-05 02:09:02 UTC
* Valid OpenPGP signature found:
* - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
* - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
* - timestamp: 2019-08-05 02:09:02 UTC |
|
And Denmark. Code: | ns ~ # emerge --sync
>>> Syncing repository 'gentoo' into '/opt/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ ok ]
>>> Starting rsync with rsync://[2a00:1828:a00d:ffff::6]/gentoo-portage...
>>> Checking server timestamp ...
Welcome to turnstone.gentoo.org / rsync.gentoo.org
Server Address : 89.238.71.6, 2a00:1828:a00d:ffff::6
Contact Name : mirror-admin@gentoo.org
Hardware : 16 x Intel(R) Xeon(R) CPU E5530 @ 2.40GHz, 24160MB RAM
Sponsor : Manitu GmbH, St. Wendel, Germany
Please note: common gentoo-netiquette says you should not sync more
than once a day. Users who abuse the rsync.gentoo.org rotation
may be added to a temporary ban list.
MOTD autogenerated by update-rsync-motd on Thu Apr 4 19:04:00 UTC 2019
receiving incremental file list
timestamp.chk
Number of files: 1 (reg: 1)
Number of created files: 0
Number of deleted files: 0
Number of regular files transferred: 1
Total file size: 32 bytes
Total transferred file size: 32 bytes
Literal data: 32 bytes
Matched data: 0 bytes
File list size: 41
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 104
Total bytes received: 132
sent 104 bytes received 132 bytes 157.33 bytes/sec
total size is 32 speedup is 0.14
Welcome to turnstone.gentoo.org / rsync.gentoo.org
Server Address : 89.238.71.6, 2a00:1828:a00d:ffff::6
Contact Name : mirror-admin@gentoo.org
Hardware : 16 x Intel(R) Xeon(R) CPU E5530 @ 2.40GHz, 24160MB RAM
Sponsor : Manitu GmbH, St. Wendel, Germany
Please note: common gentoo-netiquette says you should not sync more
than once a day. Users who abuse the rsync.gentoo.org rotation
may be added to a temporary ban list.
MOTD autogenerated by update-rsync-motd on Thu Apr 4 19:04:00 UTC 2019
receiving incremental file list
...
...
...
Number of files: 162,325 (reg: 135,040, dir: 27,285)
Number of created files: 191 (reg: 180, dir: 11)
Number of deleted files: 129 (reg: 128, dir: 1)
Number of regular files transferred: 511
Total file size: 220.25M bytes
Total transferred file size: 6.54M bytes
Literal data: 6.54M bytes
Matched data: 0 bytes
File list size: 3.82M
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 39.58K
Total bytes received: 10.58M
sent 39.58K bytes received 10.58M bytes 471.84K bytes/sec
total size is 220.25M speedup is 20.75
* Manifest timestamp: 2019-08-05 17:39:02 UTC
* Valid OpenPGP signature found:
* - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
* - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
* - timestamp: 2019-08-05 17:39:02 UTC |
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
nc-pv n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 01 Oct 2012 Posts: 45
|
Posted: Mon Aug 05, 2019 7:39 pm Post subject: |
|
|
Hi.
I am trying to understand whether or not I am having the same issue.
I have an (almost) offline Gentoo system that can access certain Gentoo mirrors via HTTP-only proxy (that I can't control). I manually downloaded and imported the GPG keys needed for the verification (Release media signatures) and whenever the portage was complaining about expired keys I was manually retrieving the needed keys and importing them again. That method worked for years.
After the last portage update the emerge --sync (using webrsync) is trying to contact the key server and refresh the signatures. Many people here report that this is broken, but in my case the portage does not have a single chance to contact the server, because the system is offline and making it online is out of question.
Is it a (recently introduced) flaw in the design of the portage system that requires Gentoo systems to be able to connect and retrieve keys from the key server in order to use tree verification?
How can I tell the portage to NOT to try to refresh the keys? It has worked previously for years, but it is broken now. _________________ Use GNU/Linux
Last edited by nc-pv on Wed Feb 10, 2021 2:12 pm; edited 2 times in total |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
cmaurand n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 21 Dec 2004 Posts: 42 Location: Biddeford, ME
|
Posted: Tue Aug 06, 2019 3:15 pm Post subject: |
|
|
mike155 wrote: | Many users report problems with tree verification. It doesn't work well on my machines, too.
I therefore recommend to disable it - until developers come up with an better solution.
- Emerge portage without USE flag 'rsync-verify' AND
- Add the lines below to the DEFAULT section of /etc/portage/repos.conf/gentoo.conf:
Code: | sync-rsync-verify-metamanifest = no
sync-allow-hardlinks = no
|
|
Sorry, that did not work. It still tried to verify the keys. The entries belong in the Gentoo section. Then it worked.
Then grub install failed. The docs are incorrect, yet again. It's taken a week to get this far. shouldn't be this way _________________ Curtis
Last edited by cmaurand on Tue Aug 06, 2019 3:49 pm; edited 2 times in total |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
leonchik1976 Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
Joined: 24 Jan 2010 Posts: 326
|
Posted: Tue Aug 06, 2019 3:16 pm Post subject: |
|
|
cmaurand wrote: | mike155 wrote: | Many users report problems with tree verification. It doesn't work well on my machines, too.
I therefore recommend to disable it - until developers come up with an better solution.
- Emerge portage without USE flag 'rsync-verify' AND
- Add the lines below to the DEFAULT section of /etc/portage/repos.conf/gentoo.conf:
Code: | sync-rsync-verify-metamanifest = no
sync-allow-hardlinks = no
|
|
Sorry, that did not work. It still tried to verify the keys |
for me also didn't work |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
mike155 Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Tue Aug 06, 2019 3:27 pm Post subject: |
|
|
cmaurand wrote: | Sorry, that did not work. It still tried to verify the keys. The entries belong in the Gentoo section. Then it worked. |
cmaurand: please show us your file: '/etc/portage/repos.conf/gentoo.conf'.
leonchik1976 wrote: | for me also didn't work
|
leonchik1976: please show us your file: '/etc/portage/repos.conf/gentoo.conf'.
Please note that cmaurand managed too get it working after he wrote the entries to the 'gentoo' section. For me, it works if I add the entries to the 'DEFAULT' section, but it could be that cmaurand's and your 'gentoo' section override or ignore values of the 'DEFAULT' section. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
cmaurand n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 21 Dec 2004 Posts: 42 Location: Biddeford, ME
|
Posted: Tue Aug 06, 2019 4:40 pm Post subject: |
|
|
mike155 wrote: | cmaurand wrote: | Sorry, that did not work. It still tried to verify the keys. The entries belong in the Gentoo section. Then it worked. |
cmaurand: please show us your file: '/etc/portage/repos.conf/gentoo.conf'.
leonchik1976 wrote: | for me also didn't work
|
leonchik1976: please show us your file: '/etc/portage/repos.conf/gentoo.conf'.
Please note that cmaurand managed too get it working after he wrote the entries to the 'gentoo' section. For me, it works if I add the entries to the 'DEFAULT' section, but it could be that cmaurand's and your 'gentoo' section override or ignore values of the 'DEFAULT' section. |
There was an rsync-verify line in the gentoo section that overrode the default section. My grub problem is a separate conversation. _________________ Curtis |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
nc-pv n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 01 Oct 2012 Posts: 45
|
Posted: Tue Aug 06, 2019 5:06 pm Post subject: |
|
|
NeddySeagoon wrote: |
That means that the keys you have cannot be checked for updates.
Its not a problem provided that the keys you have are not expired.
|
NeddySeagoon,
All keys that I have listed (gpg -k) are not expired. But nevertheless the emerge --sync is trying to refresh keys via WKD.
How to explain this behavior? Is it a requirement from now on that the system must be able to refresh the keys if tree verification is requested? If so (I hope not) this effectively renders the verification feature unusable for semi-offline installations. Removing this layer of security does not do anything good.
Do you happen to know which specific key is used for this verification? _________________ Use GNU/Linux |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
mike155 Advocate
![Advocate Advocate](/images/ranks/rank-G-1-advocate.gif)
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Tue Aug 06, 2019 5:08 pm Post subject: |
|
|
cmaurand wrote: | There was an rsync-verify line in the gentoo section that overrode the default section. |
Thanks. I added an item to my original post. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
vcmota Guru
![Guru Guru](/images/ranks/rank_rect_3.gif)
Joined: 19 Jun 2017 Posts: 372
|
Posted: Wed Aug 07, 2019 1:11 pm Post subject: |
|
|
NeddySeagoon wrote: | leonchik1976, cmaurand,
It works from Scotland.
Code: | * Manifest timestamp: 2019-08-05 02:09:02 UTC
* Valid OpenPGP signature found:
* - primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
* - subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
* - timestamp: 2019-08-05 02:09:02 UTC |
|
Hy NeddySeagoon. That means that if I just change the GENTOO_MIRRORS keyword in make.conf to loof for mirrros in Scotland or Denmark it will work? Right now I am using the mirrors in Brazil. Thank you. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
|