Mailing List Archive: How to authenticate the portage tree

How to authenticate the portage tree

Nov 7, 2004, 7:41 PM

Post #1 of 2 (1034 views)

(1) Run "find /usr/portage -type f | xargs sha1sum -b" on
the Gentoo main system.

(2) Sign the output with GPG.

(3) Put it into the portage tree.

(4) If the user has GPG installed and has manually put the
appropriate public key in some place _outside_ of the
portage tree, have "emerge sync" verify that the
signature is intact and all hashes hold.

(5) Missing files in the tree are okay (rsync_excludes),
files in the tree which do not have a hash are not okay.

--
gentoo-security@gentoo.org mailing list

Re: How to authenticate the portage tree [ In reply to ]

genone at gentoo

Nov 8, 2004, 1:05 PM

Post #2 of 2 (924 views)

On 08 Nov 2004 03:41:22 +0100
Peter Simons <simons@cryp.to> wrote:

> (1) Run "find /usr/portage -type f | xargs sha1sum -b" on
> the Gentoo main system.

What's the 'Gentoo main system'?

> (2) Sign the output with GPG.

Who does that?

Basically we do that already with Manifests, just that they
don't cover the whole tree (yet).

Marius

--
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.