aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/portage/repository/config.py10
-rw-r--r--lib/portage/sync/syncbase.py9
-rw-r--r--man/portage.59
3 files changed, 25 insertions, 3 deletions
diff --git a/lib/portage/repository/config.py b/lib/portage/repository/config.py
index 50ab18026..6155c130a 100644
--- a/lib/portage/repository/config.py
+++ b/lib/portage/repository/config.py
@@ -1,4 +1,4 @@
-# Copyright 2010-2019 Gentoo Authors
+# Copyright 2010-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
from __future__ import unicode_literals
@@ -113,6 +113,7 @@ class RepoConfig(object):
'sync_hooks_only_on_change',
'sync_openpgp_keyserver',
'sync_openpgp_key_path',
+ 'sync_openpgp_key_refresh',
'sync_openpgp_key_refresh_retry_count',
'sync_openpgp_key_refresh_retry_delay_exp_base',
'sync_openpgp_key_refresh_retry_delay_max',
@@ -233,6 +234,9 @@ class RepoConfig(object):
self.sync_openpgp_key_path = repo_opts.get(
'sync-openpgp-key-path', None)
+ self.sync_openpgp_key_refresh = repo_opts.get(
+ 'sync-openpgp-key-refresh', 'true').lower() in ('true', 'yes')
+
for k in ('sync_openpgp_key_refresh_retry_count',
'sync_openpgp_key_refresh_retry_delay_exp_base',
'sync_openpgp_key_refresh_retry_delay_max',
@@ -497,6 +501,8 @@ class RepoConfig(object):
repo_msg.append(indent + "location: " + self.location)
if not self.strict_misc_digests:
repo_msg.append(indent + "strict-misc-digests: false")
+ if not self.sync_openpgp_key_refresh:
+ repo_msg.append(indent + "sync-openpgp-key-refresh: no")
if self.sync_type:
repo_msg.append(indent + "sync-type: " + self.sync_type)
if self.sync_umask:
@@ -609,6 +615,7 @@ class RepoConfigLoader(object):
'sync_hooks_only_on_change',
'sync_openpgp_keyserver',
'sync_openpgp_key_path',
+ 'sync_openpgp_key_refresh',
'sync_openpgp_key_refresh_retry_count',
'sync_openpgp_key_refresh_retry_delay_exp_base',
'sync_openpgp_key_refresh_retry_delay_max',
@@ -1047,6 +1054,7 @@ class RepoConfigLoader(object):
bool_keys = (
"strict_misc_digests",
"sync_allow_hardlinks",
+ "sync_openpgp_key_refresh",
"sync_rcu",
)
str_or_int_keys = (
diff --git a/lib/portage/sync/syncbase.py b/lib/portage/sync/syncbase.py
index 46644d68e..74818a420 100644
--- a/lib/portage/sync/syncbase.py
+++ b/lib/portage/sync/syncbase.py
@@ -1,4 +1,4 @@
-# Copyright 2014-2018 Gentoo Foundation
+# Copyright 2014-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
'''
@@ -252,6 +252,13 @@ class SyncBase(object):
@type openpgp_env: gemato.openpgp.OpenPGPEnvironment
"""
out = portage.output.EOutput(quiet=('--quiet' in self.options['emerge_config'].opts))
+
+ if not self.repo.sync_openpgp_key_refresh:
+ out.ewarn('Key refresh is disabled via a repos.conf sync-openpgp-key-refresh')
+ out.ewarn('setting, and this is a security vulnerability because it prevents')
+ out.ewarn('detection of revoked keys!')
+ return
+
out.ebegin('Refreshing keys via WKD')
if openpgp_env.refresh_keys_wkd():
out.eend(0)
diff --git a/man/portage.5 b/man/portage.5
index 36c871123..136ebaafe 100644
--- a/man/portage.5
+++ b/man/portage.5
@@ -1,4 +1,4 @@
-.TH "PORTAGE" "5" "Apr 2019" "Portage VERSION" "Portage"
+.TH "PORTAGE" "5" "Jun 2020" "Portage VERSION" "Portage"
.SH NAME
portage \- the heart of Gentoo
.SH "DESCRIPTION"
@@ -1125,6 +1125,13 @@ only for protocols supporting cryptographic verification, provided
that the respective verification option is enabled. If unset, the user's
keyring is used.
.TP
+.B sync\-openpgp\-key\-refresh = yes
+Enable OpenPGP key(ring) refresh. This option is enabled by default.
+
+\fBWarning\fR: It is a security vulnerability to disable this option
+because this will prevent detection of revoked keys!
+
+.TP
.B sync\-openpgp\-key\-refresh\-retry\-count = 40
Maximum number of times to retry key refresh if it fails. Between each
key refresh attempt, there is an exponential delay with a constant