Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HOW to change default key retrieving method? #9

Open
yuanzhel opened this issue Mar 24, 2020 · 1 comment
Open

HOW to change default key retrieving method? #9

yuanzhel opened this issue Mar 24, 2020 · 1 comment

Comments

@yuanzhel
Copy link

Based on https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html
I know the gemato uses WKD by default to check Gentoo repository.
However, I have tried gpg --locate-keys [email protected] and sadly found it now work due to network error. As to mention, ping also give no response, I wonder if the site is not working?

In the other hand, gpg --search-keys [email protected] works well.
So I want to change the WKD way to this, how could I do it?

@temporaryrespite
Copy link

This is what I made/use since like 24 feb 2020:

this is noautomaticWKDupdates_2of2.patch for gemato-14.3
and it also needs the portage patch: noautomaticWKDupdates_1of2.patch
to be complete!

what it does it just use whatever is specified via -K eg. /usr/share/openpgp-keys/gentoo-release.asc
and it doesn't refresh any keys from upstream either via WKD or via keyserver

so without patch:
$ time gemato verify /var/db/repos/gentoo -K /usr/share/openpgp-keys/gentoo-release.asc --one-file-system --require-signed-manifest  --debug
INFO:root:Refreshing keys...
DEBUG:root:refresh_keys(allow_wkd=True, keyserver=None) called
DEBUG:root:refresh_keys_wkd(): keyid: DB6B8C1F96D8BF6D
DEBUG:root:refresh_keys_wkd(): fingerprint: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
DEBUG:root:refresh_keys_wkd(): UID: [email protected]
DEBUG:root:refresh_keys_wkd(): ignoring UID without mail: Gentoo Portage Snapshot Signing Key (Automated Signing Key)
DEBUG:root:refresh_keys_wkd(): keyid: 9E6438C817072058
DEBUG:root:refresh_keys_wkd(): fingerprint: D99EAC7379A850BCE47DA5F29E6438C817072058
DEBUG:root:refresh_keys_wkd(): UID: [email protected]
DEBUG:root:refresh_keys_wkd(): keyid: BB572E0E2D182910
DEBUG:root:refresh_keys_wkd(): fingerprint: 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
DEBUG:root:refresh_keys_wkd(): UID: [email protected]
DEBUG:root:refresh_keys_wkd(): keyid: A13D0EF1914E7A72
DEBUG:root:refresh_keys_wkd(): fingerprint: EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72
DEBUG:root:refresh_keys_wkd(): UID: [email protected]
DEBUG:root:refresh_keys_wkd(): gpg --locate-keys failed: gpg: keybox '/tmp/tmp21ufouoi/pubring.kbx' created
gpg: connecting dirmngr at '/tmp/tmp21ufouoi/S.dirmngr' failed: IPC connect call failed
gpg: error retrieving '[email protected]' via WKD: No dirmngr
gpg: error reading key: No dirmngr
gpg: connecting dirmngr at '/tmp/tmp21ufouoi/S.dirmngr' failed: IPC connect call failed
gpg: error retrieving '[email protected]' via WKD: No dirmngr
gpg: error reading key: No dirmngr
gpg: connecting dirmngr at '/tmp/tmp21ufouoi/S.dirmngr' failed: IPC connect call failed
gpg: error retrieving '[email protected]' via WKD: No dirmngr
gpg: error reading key: No dirmngr

DEBUG:root:GNUPGHOME left for debug purposes: /tmp/tmpo98xmth7
ERROR:root:OpenPGP keyring refresh failed:
gpg: connecting dirmngr at '/tmp/tmpo98xmth7/S.dirmngr' failed: IPC connect call failed
gpg: keyserver refresh failed: No dirmngr


real	0m24.193s
user	0m0.157s
sys	0m0.021s

and with patch:
$ time gemato verify /var/db/repos/gentoo -K /usr/share/openpgp-keys/gentoo-release.asc --one-file-system --require-signed-manifest  --debug
INFO:root:Refreshing keys...
DEBUG:root:refresh_keys(allow_wkd=True, keyserver=None) called
DEBUG:root:refresh_keys_wkd(): doing nothing (see: /usr/lib64/python3.6/site-packages/gemato/openpgp.py)
DEBUG:root:refresh_keys_keyserver(): doing nothing (see: /usr/lib64/python3.6/site-packages/gemato/openpgp.py)
INFO:root:Keys refreshed.
INFO:root:Manifest timestamp: 2020-02-23 14:08:56 UTC
INFO:root:Valid OpenPGP signature found:
INFO:root:- primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
INFO:root:- subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
INFO:root:- timestamp: 2020-02-23 14:08:56 UTC
INFO:root:Verifying /var/db/repos/gentoo...
INFO:root:/var/db/repos/gentoo verified in 10.06 seconds
DEBUG:root:GNUPGHOME left for debug purposes: /tmp/tmp2_ok1oze

real	0m10.263s
user	0m9.316s
sys	0m0.910s

Note: you can use no patch and arg: -R aka --no-refresh-keys
to get the same behaviour! but this patch is intended to be used with 'emerge --sync' (or 'emaint sync' ? not tried )!

file installed in: /usr/lib64/python3.6/site-packages/gemato/openpgp.py

--- orig/gemato/openpgp.py	2019-10-25 08:51:40.000000000 +0200
+++ mod/gemato/openpgp.py	2020-02-23 17:53:05.294955755 +0100
@@ -190,7 +190,7 @@ class OpenPGPEnvironment(OpenPGPSystemEn
 
     __slots__ = ['_home']
 
-    def __init__(self, debug=False):
+    def __init__(self, debug=True):
         super(OpenPGPEnvironment, self).__init__(debug=debug)
         self._home = tempfile.mkdtemp()
 
@@ -258,11 +258,14 @@ debug-level guru
         if exitst != 0:
             raise gemato.exceptions.OpenPGPKeyImportError(err.decode('utf8'))
 
-    def refresh_keys_wkd(self):
+    def refresh_keys_wkd(self, Force=False):
         """
         Attempt to fetch updated keys using WKD.  Returns true if *all*
         keys were successfully found.  Otherwise, returns false.
         """
+        if False == Force:
+            logging.debug('refresh_keys_wkd(): doing nothing (see: /usr/lib64/python3.6/site-packages/gemato/openpgp.py)')
+            return False
         # list all keys in the keyring
         # (--fingerprint --fixed-list-mode are necessary for GnuPG-1.4)
         exitst, out, err = self._spawn_gpg(['--with-colons', '--list-keys',
@@ -359,6 +362,8 @@ debug-level guru
         return True
 
     def refresh_keys_keyserver(self, keyserver=None):
+        logging.debug('refresh_keys_keyserver(): doing nothing (see: /usr/lib64/python3.6/site-packages/gemato/openpgp.py)')
+        return
         ks_args = []
         if keyserver is not None:
             ks_args = ['--keyserver', keyserver]
this is noautomaticWKDupdates_1of2.patch for portage-2.3.89 (last tested on 2.3.96-r1)
it also needs noautomaticWKDupdates_2of2.patch for gemato! (which should be already in place)

it adds `emerge` arg: --forceWKDupdate [ n | y]  which defaults to 'n'
it's to be used with `emerge --sync` to allow WKD to be updated or not
if WKD is forced then if it fails it won't try to update keys via keyserver (as it would without this patch)

so without updating keys from WKD(or keyserver) the only keys left to use is/are:
/usr/share/openpgp-keys/gentoo-release.asc
which is owned by package app-crypt/openpgp-keys-gentoo-release-20191030

this should be safer(security-wise) than updating keys from WKD on every `emerge --sync` !!

Index: /usr/lib64/python3.6/site-packages/portage/sync/syncbase.py
===================================================================
--- orig/lib/portage/sync/syncbase.py
+++ mod/lib/portage/sync/syncbase.py
@@ -253,11 +253,20 @@ class SyncBase(object):
 		"""
 		out = portage.output.EOutput(quiet=('--quiet' in self.options['emerge_config'].opts))
 		out.ebegin('Refreshing keys via WKD')
-		if openpgp_env.refresh_keys_wkd():
+		if openpgp_env.refresh_keys_wkd(Force=True):  #Force=True differentiates from other calls to refresh_keys_wkd, if any! yes at least one: gemato verify /var/db/repos/gentoo -K /usr/share/openpgp-keys/gentoo-release.asc --one-file-system --require-signed-manifest  --debug
 			out.eend(0)
 			return
 		out.eend(1)
-
+		#print(openpgp_env) #it's a complex object TODO: how to print it!
+		#actually I won't be needing WKD refresh because since I'm sync-ing daily I won't miss an update to:
+		#app-crypt/openpgp-keys-gentoo-release-20191030 (/usr/share/openpgp-keys/gentoo-release.asc)
+		# which has that .asc key which would be kept up to date!
+		#otherwise gemato wkd will make a /tmp/ dir to import keys into and use it to verify the repo, which means
+		# it can be temporarily fooled (since it's just fetching keys via https, and BGP hijacking is a thing) into
+		# fetching evil keys, coupled with similar mitm rsync-ed repo, bam hijacked system, if even just temporarily
+		# you won't even know if it happened, since next rsync/wkd could be normal, once the rootkit hid and cleaned up.
+		raise Exception("WKD refresh failed!")
+		#yeah don't use keyserver from below!
 		out.ebegin('Refreshing keys from keyserver{}'.format(
 			('' if self.repo.sync_openpgp_keyserver is None else ' ' + self.repo.sync_openpgp_keyserver)))
 		retry_decorator = self._key_refresh_retry_decorator()
Index: /usr/lib64/python3.6/site-packages/_emerge/main.py
===================================================================
--- orig/lib/_emerge/main.py
+++ mod/lib/_emerge/main.py
@@ -126,6 +126,7 @@ def insert_optional_args(args):
 	default_arg_opts = {
 		'--alert'                : y_or_n,
 		'--ask'                  : y_or_n,
+		'--forceWKDupdate'                  : y_or_n, #see also myoptions.forceWKDupdate
 		'--autounmask'           : y_or_n,
 		'--autounmask-continue'  : y_or_n,
 		'--autounmask-only'      : y_or_n,
@@ -325,6 +326,11 @@ def parse_opts(tmpcmdline, silent=False)
 			"choices" : true_y_or_n
 		},
 
+		"--forceWKDupdate": {
+			"help"    : "use with --sync, force or not(default) WKD update of gpg keys; if 'n' aka default, it will just use /usr/share/openpgp-keys/gentoo-release.asc which comes from package app-crypt/openpgp-keys-gentoo-release-20191030 ! Only use 'y' if you need it, otherwise it can open your system to compromise.",
+			"choices" : true_y_or_n
+		},
+
 		"--autounmask": {
 			"help"    : "automatically unmask packages",
 			"choices" : true_y_or_n
@@ -836,6 +842,11 @@ def parse_opts(tmpcmdline, silent=False)
 	else:
 		myoptions.ask = None
 
+	if myoptions.forceWKDupdate in true_y:
+		myoptions.forceWKDupdate = True
+	else:
+		myoptions.forceWKDupdate = None
+
 	if myoptions.autounmask in true_y:
 		myoptions.autounmask = True
 
Index: /usr/lib64/python3.6/site-packages/portage/sync/modules/rsync/rsync.py
===================================================================
--- orig/lib/portage/sync/modules/rsync/rsync.py
+++ mod/lib/portage/sync/modules/rsync/rsync.py
@@ -153,7 +153,8 @@ class RsyncSync(NewBase):
 					out.einfo('Using keys from %s' % (self.repo.sync_openpgp_key_path,))
 					with io.open(self.repo.sync_openpgp_key_path, 'rb') as f:
 						openpgp_env.import_key(f)
-					self._refresh_keys(openpgp_env)
+					if "--forceWKDupdate" in opts:
+						self._refresh_keys(openpgp_env)
 				except (GematoException, asyncio.TimeoutError) as e:
 					writemsg_level("!!! Manifest verification impossible due to keyring problem:\n%s\n"
 							% (e,),
Index: /usr/lib64/python3.6/site-packages/portage/sync/modules/webrsync/webrsync.py
===================================================================
--- orig/lib/portage/sync/modules/webrsync/webrsync.py
+++ mod/lib/portage/sync/modules/webrsync/webrsync.py
@@ -86,7 +86,8 @@ class WebRsync(SyncBase):
 					out.einfo('Using keys from %s' % (self.repo.sync_openpgp_key_path,))
 					with io.open(self.repo.sync_openpgp_key_path, 'rb') as f:
 						openpgp_env.import_key(f)
-					self._refresh_keys(openpgp_env)
+					if "--forceWKDupdate" in opts:
+						self._refresh_keys(openpgp_env)
 					self.spawn_kwargs["env"]["PORTAGE_GPG_DIR"] = openpgp_env.home
 					self.spawn_kwargs["env"]["PORTAGE_TEMP_GPG_DIR"] = openpgp_env.home
 				except (GematoException, asyncio.TimeoutError) as e:
Index: /usr/lib64/python3.6/site-packages/portage/sync/modules/git/git.py
===================================================================
--- orig/lib/portage/sync/modules/git/git.py
+++ mod/lib/portage/sync/modules/git/git.py
@@ -224,7 +224,8 @@ class GitSync(NewBase):
 					out.einfo('Using keys from %s' % (self.repo.sync_openpgp_key_path,))
 					with io.open(self.repo.sync_openpgp_key_path, 'rb') as f:
 						openpgp_env.import_key(f)
-					self._refresh_keys(openpgp_env)
+					if "--forceWKDupdate" in opts:
+						self._refresh_keys(openpgp_env)
 				except (GematoException, asyncio.TimeoutError) as e:
 					writemsg_level("!!! Verification impossible due to keyring problem:\n%s\n"
 							% (e,),

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants