Hi Duncan On Mon, Aug 4, 2014 at 10:52 PM, Duncan <1i5t5.dun...@cox.net> wrote: <SNIP> > > 3) While #1 applies to the tree in general when it is rsynced, gentoo > does have a somewhat higher security sync method for the paranoid and to > support users behind firewalls which don't pass rsync. Instead of > running emerge sync, this method uses the emerge-webrsync tool, which > downloads the entire main gentoo tree as a gpg-signed tarball. If you > have FEATURES=webrsync-gpg set (see the make.conf manpage, FEATURES, > webrsync-gpg), portage will verify the gpg signature on this tarball. >
I'm finally able to investigate this today. I'm not finding very detailed instructions anywhere , more like notes people would use if they've done this before and understand all the issues. Being that it's my first excursion down this road I have much to learn. OK, I've modified make.conf as such: FEATURES="buildpkg strict webrsync-gpg" PORTAGE_GPG_DIR="/etc/portage/gpg" and created /etc/portage/gpg: c2RAID6 portage # ls -al total 72 drwxr-xr-x 13 root root 4096 Aug 6 14:25 . drwxr-xr-x 87 root root 4096 Aug 6 09:10 .. drwxr-xr-x 2 root root 4096 Apr 27 10:26 bin -rw-r--r-- 1 root root 22 Jan 1 2014 categories drwxr-xr-x 2 root root 4096 Jul 6 09:42 env drwx------ 2 root root 4096 Aug 6 14:03 gpg -rw-r--r-- 1 root root 1573 Aug 6 14:03 make.conf lrwxrwxrwx 1 root root 63 Mar 5 2013 make.profile -> ../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde [the rest deleted...] eix-sync seems to be working but it may (or may not) be caught in some loop where it just keeps looking for older data. I let it go until it got back into July and then did a Ctrl-C: c2RAID6 portage # eix-sync -wa * Running emerge-webrsync Fetching most recent snapshot ... Trying to retrieve 20140805 snapshot from http://gentoo.osuosl.org ... Fetching file portage-20140805.tar.xz.md5sum ... Fetching file portage-20140805.tar.xz.gpgsig ... Fetching file portage-20140805.tar.xz ... Checking digest ... Checking signature ... gpg: Signature made Tue Aug 5 17:55:23 2014 PDT using RSA key ID C9189250 gpg: Can't check signature: No public key Fetching file portage-20140805.tar.bz2.md5sum ... Fetching file portage-20140805.tar.bz2.gpgsig ... Fetching file portage-20140805.tar.bz2 ... Checking digest ... Checking signature ... gpg: Signature made Tue Aug 5 17:55:22 2014 PDT using RSA key ID C9189250 gpg: Can't check signature: No public key Fetching file portage-20140805.tar.gz.md5sum ... 20140805 snapshot was not found Trying to retrieve 20140804 snapshot from http://gentoo.osuosl.org ... Fetching file portage-20140804.tar.xz.md5sum ... Fetching file portage-20140804.tar.xz.gpgsig ... Fetching file portage-20140804.tar.xz ... Checking digest ... Checking signature ... gpg: Signature made Mon Aug 4 17:55:27 2014 PDT using RSA key ID C9189250 gpg: Can't check signature: No public key QUESTIONS: 1) Is the 'No public key' message talking about me, or something at the source? I haven't got any keys so maybe i need to generate one? 2) Once I do get this working correctly it would make sense to me that I need to delete all existing distfiles to ensure that anything on my system actually came from this tarball. Is that correct? <SNIP> > So sync-method bottom line, if you're paranoid or simply want additional > gpg-signed security, use emerge-webrsync along with FEATURES=webrsync-gpg, > instead of normal rsync-based emerge sync. That pretty well ensures that > you're getting exactly the gentoo tree tarball gentoo built and signed, > which is certainly far more secure than normal rsync syncing, but because > the tarballing and signing is automated and covers the entire tree, > there's still the possibility that one or more files in that tarball are > compromised and that it hasn't been detected yet. Or, as we both have eluded to, the bad guy is intercepting the transmission and giving me a different tarball... For now, it's more than enough to take a baby first step. Thanks for all your sharing of info! Cheers, Mark
