This is a bit long but it's mostly just stuff copied from my terminal for completeness. -MWK
On Wed, Aug 6, 2014 at 5:58 PM, Duncan <1i5t5.dun...@cox.net> wrote: > Mark Knecht posted on Wed, 06 Aug 2014 14:33:28 -0700 as excerpted: > >> OK, I've modified make.conf as such: >> >> FEATURES="buildpkg strict webrsync-gpg" >> PORTAGE_GPG_DIR="/etc/portage/gpg" >> >> and created /etc/portage/gpg: > >> drwxr-xr-x 2 root root 4096 Jul 6 09:42 > <SNIP> > > Or wait! Actually I can, as google says that's actually part of the > gentoo handbook! =:^) (Watch the link-wrap and reassemble as necessary, > I'm lazy today. The arch doesn't matter for this bit so x86/amd64, it's > all the same.) > > https://www.gentoo.org/doc/en/handbook/handbook-x86.xml? > part=2&chap=3#webrsync-gpg > Great link! Thanks. So I think the important stuff is here, the first 2 lines I managed on my own, but the gpg part is what's new to me: [QUOTE] # mkdir -p /etc/portage/gpg # chmod 0700 /etc/portage/gpg (... Substitute the keys with those mentioned on the release engineering site ...) # gpg --homedir /etc/portage/gpg --keyserver subkeys.pgp.net --recv-keys 0xDB6B8C1F96D8BF6D # gpg --homedir /etc/portage/gpg --edit-key 0xDB6B8C1F96D8BF6D trust [/QOUTE] >From the comment about the Release Engineering site, I think that's here: https://www.gentoo.org/proj/en/releng/ And the keys match with is good. Anyway, running the first command is fine. The second command wants me to make a choice. For now I chose to 'ultimately trust'. (Aren't I gullible!?!) [COPY] c2RAID6 ~ # gpg --homedir /etc/portage/gpg --edit-key 0xDB6B8C1F96D8BF6D trust gpg (GnuPG) 2.0.25; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage: C trust: unknown validity: unknown sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage: S [ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing Key) pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage: C trust: unknown validity: unknown sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage: S [ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing Key) Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage: C trust: ultimate validity: unknown sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage: S [ unknown] (1). Gentoo Portage Snapshot Signing Key (Automated Signing Key) Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> list pub 4096R/96D8BF6D created: 2011-11-25 expires: 2015-11-24 usage: C trust: ultimate validity: unknown sub 4096R/C9189250 created: 2011-11-25 expires: 2015-11-24 usage: S [ unknown] (1)* Gentoo Portage Snapshot Signing Key (Automated Signing Key) gpg> check uid Gentoo Portage Snapshot Signing Key (Automated Signing Key) sig!3 96D8BF6D 2011-11-25 [self-signature] 6 signatures not checked due to missing keys gpg> quit c2RAID6 ~ # [/COPY] I'm not sure how to short of a reboot 'restart the program', nor what the line 6 signatures not checked due to missing keys really means. That said it appears to be working better than yesterday: c2RAID6 ~ # eix-sync -w * Running emerge-webrsync Fetching most recent snapshot ... Trying to retrieve 20140806 snapshot from http://gentoo.osuosl.org ... Fetching file portage-20140806.tar.xz.md5sum ... Fetching file portage-20140806.tar.xz.gpgsig ... Fetching file portage-20140806.tar.xz ... Checking digest ... Checking signature ... gpg: Signature made Wed Aug 6 17:55:26 2014 PDT using RSA key ID C9189250 gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2015-11-24 gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [ultimate] Getting snapshot timestamp ... Syncing local tree ... Number of files: 178933 Number of files transferred: 6846 Total file size: 327.27M bytes Total transferred file size: 19.96M bytes Literal data: 19.96M bytes Matched data: 0 bytes File list size: 4.32M File list generation time: 0.001 seconds File list transfer time: 0.000 seconds Total bytes sent: 12.38M Total bytes received: 156.23K sent 12.38M bytes received 156.23K bytes 166.03K bytes/sec total size is 327.27M speedup is 26.11 Cleaning up ... * Copying old database to /var/cache/eix/previous.eix * Running eix-update Reading Portage settings .. <SNIP> [474] "zx2c4" layman/zx2c4 (cache: eix* /tmp/eix-remote.MbcFER9d/zx2c4.eix [*/zx2c4]) Reading Packages .. Finished Applying masks .. Calculating hash tables .. Writing database file /var/cache/eix/remote.eix .. Database contains 31587 packages in 234 categories. * Calling eix-diff Diffing databases (17596 -> 17598 packages) [>] == games-util/umodpack (0.5_beta16-r1 -> 0.5_beta16-r2): portable and useful [un]packer for Unreal Tournament's Umod files [U] == media-libs/libbluray (0.5.0-r1{tbz2}@06/19/14; (~)0.5.0-r1{tbz2} -> (~)0.6.1): Blu-ray playback libraries [>] == net-misc/chrony (1.30^t -> 1.30-r1^t): NTP client and server programs [U] == sys-devel/gnuconfig (20131128{tbz2}@02/18/14; 20131128{tbz2} -> 20140212): Updated config.sub and config.guess file from GNU [U] == virtual/libgudev (215(0/0){tbz2}@08/05/14; 215(0/0){tbz2} -> 215-r1(0/0)): Virtual for libgudev providers [U] == virtual/libudev (215(0/1){tbz2}@08/05/14; 215(0/1){tbz2} -> 215-r1(0/1)): Virtual for libudev providers [D] == www-client/google-chrome-beta (37.0.2062.58_p1{tbz2}@08/05/14; (~)37.0.2062.58_p1^msd{tbz2} -> ~37.0.2062.68_p1^msd): The web browser from Google [U] == www-client/google-chrome-unstable (38.0.2107.3_p1{tbz2}@08/06/14; (~)38.0.2107.3_p1^msd{tbz2} -> (~)38.0.2114.2_p1^msd): The web browser from Google [N] >> dev-ruby/prawn-table (~0.1.0): Provides support for tables in Prawn [N] >> sys-apps/cv (~0.4.1): Coreutils Viewer: show progress for cp, rm, dd, and so forth * Time statistics: 136 seconds for syncing 43 seconds for eix-update 2 seconds for eix-diff 197 seconds total c2RAID6 ~ # So that's all looking pretty good, as a first step. If it's a matter of 3 1/2 minutes instead of 1-2 minutes then I can live with that part. However that's just (I think) the portage tree and not signed source code, correct? Now, is the idea that I have a validated portage snapshot at this point and stiff have to actually get the code using the regular emerge which will do the checking because I have: FEATURES="buildpkg strict webrsync-gpg" I don't see any evidence that emerge checked what it downloaded, but maybe those checks are only done when I really build the code? c2RAID6 ~ # emerge -fDuN @world Calculating dependencies... done! >>> Fetching (1 of 5) sys-devel/gnuconfig-20140212 >>> Downloading 'http://gentoo.osuosl.org/distfiles/gnuconfig-20140212.tar.bz2' --2014-08-07 11:12:11-- http://gentoo.osuosl.org/distfiles/gnuconfig-20140212.tar.bz2 Resolving gentoo.osuosl.org... 140.211.166.134 Connecting to gentoo.osuosl.org|140.211.166.134|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 44808 (44K) [application/x-bzip2] Saving to: '/usr/portage/distfiles/gnuconfig-20140212.tar.bz2' 100%[================================================================>] 44,808 113KB/s in 0.4s 2014-08-07 11:12:13 (113 KB/s) - '/usr/portage/distfiles/gnuconfig-20140212.tar.bz2' saved [44808/44808] * gnuconfig-20140212.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] >>> Fetching (2 of 5) media-libs/libbluray-0.6.1 >>> Downloading 'http://gentoo.osuosl.org/distfiles/libbluray-0.6.1.tar.bz2' --2014-08-07 11:12:13-- http://gentoo.osuosl.org/distfiles/libbluray-0.6.1.tar.bz2 Resolving gentoo.osuosl.org... 140.211.166.134 Connecting to gentoo.osuosl.org|140.211.166.134|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 586646 (573K) [application/x-bzip2] Saving to: '/usr/portage/distfiles/libbluray-0.6.1.tar.bz2' 100%[================================================================>] 586,646 716KB/s in 0.8s 2014-08-07 11:12:15 (716 KB/s) - '/usr/portage/distfiles/libbluray-0.6.1.tar.bz2' saved [586646/586646] * libbluray-0.6.1.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] >>> Fetching (3 of 5) virtual/libudev-215-r1 >>> Fetching (4 of 5) virtual/libgudev-215-r1 >>> Fetching (5 of 5) www-client/google-chrome-unstable-38.0.2114.2_p1 >>> Downloading >>> 'http://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-unstable/google-chrome-unstable_38.0.2114.2-1_amd64.deb' --2014-08-07 11:12:16-- http://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-unstable/google-chrome-unstable_38.0.2114.2-1_amd64.deb Resolving dl.google.com... 74.125.239.2, 74.125.239.6, 74.125.239.4, ... Connecting to dl.google.com|74.125.239.2|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 47472462 (45M) [application/x-debian-package] Saving to: '/usr/portage/distfiles/google-chrome-unstable_38.0.2114.2-1_amd64.deb' 100%[================================================================>] 47,472,462 6.81MB/s in 7.1s 2014-08-07 11:12:23 (6.37 MB/s) - '/usr/portage/distfiles/google-chrome-unstable_38.0.2114.2-1_amd64.deb' saved [47472462/47472462] * google-chrome-unstable_38.0.2114.2-1_amd64.deb SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] c2RAID6 ~ # Cheers, Mark