User:Maffblaster/Archives/Gkeys Handbook section
Validated Gentoo repository snapshots
Administrators can opt to update the local Gentoo ebuild repository with a cryptographically validated snapshot as released by the Gentoo infrastructure. This ensures that no rogue rsync mirror is adding unwanted code or packages to the repositories the system will be downloading.
The following is an updated method for setting up and using the emerge-webrsync sync method using repos.conf.
The Gentoo release media OpenPGP keys are now available as a binary keyring. These can be installed via the app-crypt/gentoo-keys package:
root #
emerge --ask app-crypt/gentoo-keys
This will install the keyring to the /var/lib/gentoo/gkeys/keyrings/gentoo/release location.
PORTAGE_GPG_DIR="/var/lib/gentoo/gkeys/keyrings/gentoo/release"
[DEFAULT]
main-repo = gentoo
[gentoo]
# Disable synchronization by clearing the values or setting auto-sync = no
# Do not set value of the variables in this configuration file using quotes ('' or "")!
sync-type = webrsync
sync-uri =
auto-sync = yes
sync-webrsync-verify-signature = true
Make sure that app-crypt/gnupg package is installed:
root #
emerge --ask app-crypt/gnupg
Use gpg to verify that the keys in the keyring are the correct keys:
root #
gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --with-fingerprint --list-keys --keyid-format 0xlong
Verify the fingerprints of the key(s) against those listed on the official Gentoo release engineering project page.
If any of the keys installed from app-crypt/gentoo-keys should expire, run gkeys from app-crypt/gkeys to refresh them from the key server:
root #
emerge --ask app-crypt/gkeys
root #
gkeys refresh-key -C gentoo
Repeat the following command for each key you wish to trust. (Substitute the keyid '0x...' for the desired key you wish to trust.)
root #
gpg --homedir /var/lib/gentoo/gkeys/keyrings/gentoo/release --edit-key 0xDB6B8C1F96D8BF6D trust
Should a GPG command-line menu appear, fully trust the key and quit the program by entering the following:
gpg>
4
gpg>
quit
The system is now set-up to sync using only OpenPGP/gpg verified snapshots.
Several command options are available to perform the sync.
Only one of the following commands is needed to sync. See the Portage's sync wiki article for more details.
root #
emerge --sync
root #
emaint sync -a
root #
emaint sync --repo gentoo
root #
emerge-webrsync