Run PORTAGE_TRUST_HELPER before remote binary package operations

Right now this is somewhat suboptimal because the helper is only called if FEATURES="binpkg-request-signature" is set, but existing signatures are also verified otherwise. Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
gentoo · Sep 2, 2023 · fed735d · fed735d
1 parent 0f76460
commit fed735d
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 0 deletions.
diff --git a/cnf/make.globals b/cnf/make.globals
@@ -150,6 +150,9 @@ PORTAGE_ELOG_MAILFROM="portage@localhost"
 # Signing command used by egencache
 PORTAGE_GPG_SIGNING_COMMAND="gpg --sign --digest-algo SHA256 --clearsign --yes --default-key \"\${PORTAGE_GPG_KEY}\" --homedir \"\${PORTAGE_GPG_DIR}\" \"\${FILE}\""
 
+# Trust helper for updating package signing keys
+PORTAGE_TRUST_HELPER="/usr/bin/getuto -q"
+
 # btrfs.* attributes are irrelevant, see bug #527636.
 # security.* attributes may be special (see bug 461868), but
 # security.capability is specifically not excluded (bug 548516).

diff --git a/lib/portage/dbapi/bintree.py b/lib/portage/dbapi/bintree.py
@@ -1234,11 +1234,32 @@ def _populate_local(self, reindex=True):
 
         return pkgindex if update_pkgindex else None
 
+    def _run_trust_helper(self):
+        portage_trust_helper = self.settings.get("PORTAGE_TRUST_HELPER", "true")
+        # getuto is a shell script...
+        ret = os.waitstatus_to_exitcode(os.system(portage_trust_helper))
+        if ret == 127:
+            raise OSError(
+                _(
+                    "Did not find trust helper. Install app-portage/getuto or set PORTAGE_TRUST_HELPER=true"
+                )
+            )
+        elif ret != 0:
+            raise OSError(
+                _("Failed to run trust helper for binary package verification: Error ")
+                + str(ret)
+            )
+
     def _populate_remote(self, getbinpkg_refresh=True):
         self._remote_has_index = False
         self._remotepkgs = {}
 
         if "binpkg-request-signature" in self.settings.features:
+            # This is somewhat broken, we *should* run the trust helper always
+            # when binpackages are involved, not only when we refuse unsigned
+            # ones. (If the keys have expired we end up refusing signed but
+            # technically invalid packages...)
+            self._run_trust_helper()
             gpkg_only = True
         else:
             gpkg_only = False

diff --git a/lib/portage/package/ebuild/_config/special_env_vars.py b/lib/portage/package/ebuild/_config/special_env_vars.py
@@ -315,6 +315,7 @@
         "PORTAGE_RSYNC_RETRIES",
         "PORTAGE_SSH_OPTS",
         "PORTAGE_SYNC_STALE",
+        "PORTAGE_TRUST_HELPER",
         "PORTAGE_USE",
         "PORTAGE_LOG_FILTER_FILE_CMD",
         "PORTAGE_LOGDIR",

diff --git a/man/make.conf.5 b/man/make.conf.5
@@ -1208,6 +1208,15 @@ Defaults to /var/tmp.
 
 This should not be set to point anywhere under location of any repository.
 .TP
+\fBPORTAGE_TRUST_HELPER\fR = \fI[path]\fR
+Defines an executable file which initializes and maintains
+/etc/portage/gnupg, installing keys that are trusted for binary package
+signing, and refreshing these keys from a key server. The helper is called
+before all operations involving remote binary packages if and only if
+binpkg-request-signature is in \fBFEATURES\fR.
+.br
+Defaults to "/usr/bin/getuto -q" (provided by app-portage/getuto).
+.TP
 \fBPORTAGE_USERNAME\fR = \fI[user]\fR
 Defines the username to use when executing in userpriv/etc... modes (i.e.
 non-root).