commit: 2fa73d4e9f789db6cc8f261deea7f3d06f2fd4bb Author: Kerin Millar <kfm <AT> plushkava <DOT> net> AuthorDate: Mon Jun 16 12:42:51 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Tue Jun 17 03:00:41 2025 +0000 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=2fa73d4e
emerge-webrsync: fix fallback mode where PORTAGE_GPG_DIR is unset/empty Recently, the method by which the check_file_signature_gpg_unwrapped() function verifies key signatures was found to be insecure. The issue was addressed by requiring for the key to be "ultimately" trusted and by ensuring that all three of the GOODSIG, VALIDSIG and TRUST_ULTIMATE tokens are observable in the output stream of gpg(1). However, this breaks the case where all three of the following conditions hold true. 1) the user hasn't defined FEATURES="webrsync-gpg", per make.conf(5) 2) the user hasn't set PORTAGE_GPG_DIR, or has set it as an empty string 3) gemato is not found in PATH (improbable, though possible) Under such circumstances, emerge-webrsync will attempt to populate an ephemeral keyring by importing the distributed public key block from "/usr/share/openpgp-keys/gentoo-release.asc". The problem is that the relevant key will have an undefined trust level (TRUST_UNDEFINED), which cannot satisfy the newly imposed strictures. Remedy this by identifying the fingerprint of the key with an email adddress of <infrastructure <AT> gentoo.org> and automatically raising its trust level to TRUST_ULTIMATE (which has an internal numerical level of 6). That way, there is no need to curtail the strict verification process and adversely affect other scenarios. Bug: https://bugs.gentoo.org/597800 Fixes: c5247ab0ea0b717f4037b6aa14108d7e41b5e2dd Signed-off-by: Kerin Millar <kfm <AT> plushkava.net> Signed-off-by: Sam James <sam <AT> gentoo.org> bin/emerge-webrsync | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync index 37852d9472..89b33553b7 100755 --- a/bin/emerge-webrsync +++ b/bin/emerge-webrsync @@ -285,8 +285,8 @@ check_file_signature_gemato() { check_file_signature_gpg_unwrapped() { local signature=$1 file=$2 + local fingerprint key local -x GNUPGHOME - local key if ! type -P gpg > /dev/null; then die "cannot check signature: gpg binary not found" @@ -309,6 +309,8 @@ check_file_signature_gpg_unwrapped() { # public key block shall be imported. GNUPGHOME=$(mktemp -d -- "${PORTAGE_TMPDIR}/portage/webrsync.XXXXXX") \ && gpg --batch --import "${key}" \ + && fingerprint=$(gpg_fingerprint '<[email protected]>') \ + && gpg --batch --import-ownertrust <<<"${fingerprint}:6:" \ || exit elif [[ ! -w ${GNUPGHOME} ]]; then die "gpgdir is not writable: ${GNUPGHOME}" @@ -323,6 +325,17 @@ check_file_signature_gpg_unwrapped() { fi } +gpg_fingerprint() { + local -a fields + + # https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS + while IFS=: read -ra fields; do + [[ ${fields[0]} == fpr && ${fields[9]} =~ ^[[:xdigit:]]{40}$ ]] \ + && printf '%s\n' "${fields[9]}" \ + && return + done < <(gpg --with-colons --list-keys "$@") +} + gpg_verify() { local signature=$1 file=$2 local output token
