Add two new configuration options to rsync repositories:
sync-rsync-verify-metamanifest and sync-rsync-openpgp-key-path.
The first controls whether gemato verification is run for
the repository (defaults to true for ::gentoo, false otherwise),
the second makes it possible to override the key path for custom
repositories.
---
cnf/repos.conf | 1 +
man/portage.5 | 11 +++++++++++
pym/portage/sync/modules/rsync/__init__.py | 4 +++-
pym/portage/sync/modules/rsync/rsync.py | 20 +++++++++++++++++++-
4 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/cnf/repos.conf b/cnf/repos.conf
index 062fc0d10..644687515 100644
--- a/cnf/repos.conf
+++ b/cnf/repos.conf
@@ -6,6 +6,7 @@ location = /usr/portage
sync-type = rsync
sync-uri = rsync://rsync.gentoo.org/gentoo-portage
auto-sync = yes
+sync-rsync-verify-metamanifest = yes
# for daily squashfs snapshots
#sync-type = squashdelta
diff --git a/man/portage.5 b/man/portage.5
index e724e1f08..5e8127778 100644
--- a/man/portage.5
+++ b/man/portage.5
@@ -1071,10 +1071,21 @@ Extra options to give to rsync on repository
synchronization. It takes
precedence over a declaration in [DEFAULT] section, that takes
precedence over PORTAGE_RSYNC_EXTRA_OPTS.
.TP
+.B sync-rsync-openpgp-key-path
+Path to the OpenPGP key(ring) used to verify MetaManifest. Used only
+if \fBsync-rsync-verify-metamanifest\fR is enabled. Defaults to
+\fB/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg\fR (path
+used by \fBapp-crypt/gentoo-keys\fR).
+.TP
.B sync-rsync-vcs-ignore = true|false
Ignore vcs directories that may be present in the repository. It is the
user's responsibility to set sync-rsync-extra-opts to protect vcs
directories if appropriate.
+.TP
+.B sync-rsync-verify-metamanifest = true|false
+Require the repository to contain a signed MetaManifest and verify
+it using \fBapp-portage/gemato\fR. Defauls to true for the \fBgentoo\fR
+repository and false otherwise.
.RE
diff --git a/pym/portage/sync/modules/rsync/__init__.py
b/pym/portage/sync/modules/rsync/__init__.py
index c2fdc4188..df9a1995a 100644
--- a/pym/portage/sync/modules/rsync/__init__.py
+++ b/pym/portage/sync/modules/rsync/__init__.py
@@ -1,4 +1,4 @@
-# Copyright 2014 Gentoo Foundation
+# Copyright 2014-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
doc = """Rsync plug-in module for portage.
@@ -27,7 +27,9 @@ module_spec = {
'validate_config': CheckSyncConfig,
'module_specific_options': (
'sync-rsync-extra-opts',
+ 'sync-rsync-openpgp-key-path',
'sync-rsync-vcs-ignore',
+ 'sync-rsync-verify-metamanifest',
),
}
}
diff --git a/pym/portage/sync/modules/rsync/rsync.py
b/pym/portage/sync/modules/rsync/rsync.py
index c80641ba3..613bedd0c 100644
--- a/pym/portage/sync/modules/rsync/rsync.py
+++ b/pym/portage/sync/modules/rsync/rsync.py
@@ -1,4 +1,4 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
import sys
@@ -82,6 +82,17 @@ class RsyncSync(NewBase):
self.extra_rsync_opts.extend(portage.util.shlex_split(
self.repo.module_specific_options['sync-rsync-extra-opts']))
+ # Process GLEP74 verification options.
+ # Default verification to 'on' for ::gentoo, 'off' otherwise.
+ self.verify_metamanifest = (
+ self.repo.module_specific_options.get(
+ 'sync-rsync-verify-metamanifest',
False))
+ # Default to gentoo-keys keyring.
+ self.openpgp_key_path = (
+ self.repo.module_specific_options.get(
+ 'sync-rsync-openpgp-key-path',
+
'/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg'))
+
# Real local timestamp file.
self.servertimestampfile = os.path.join(
self.repo.location, "metadata", "timestamp.chk")
@@ -259,6 +270,13 @@ class RsyncSync(NewBase):
exitcode = EXCEEDED_MAX_RETRIES
break
self._process_exitcode(exitcode, dosyncuri, out, maxretries)
+
+ # if synced successfully, verify now
+ if exitcode == 0 and self.verify_metamanifest:
+ command = ['gemato', 'verify', '-K',
self.openpgp_key_path,
+ '-s', self.repo.location]
+ exitcode = portage.process.spawn(command,
**self.spawn_kwargs)
+
return (exitcode, updatecache_flg)
--
2.16.1
