Discussion:
[gentoo-user] emerge --sync: problem refreshing keys
(too old to reply)
Stefano Crocco
2019-07-18 17:50:01 UTC
Permalink
Hello to everyone,
since yesterday emerge --sync fails because it can't refresh keys. The
messages I get are:

Syncing repository 'gentoo' into '/usr/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ !! ]
* Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP keyring
refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available

OpenPGP keyring refresh failed:
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available

After that, it goes on for a while with the same message.

As I have seen no messages regarding this either here or on the forums, I
guess there's something wrong on my system, but I can't imagine what's wrong.
Two days ago I could sync without problems. Looking at the emerge log, I that
that most of the packages I installed were from kde-frameworks and kde-apps,
so I don't think they can have caused this issue.

Do you have any idea about how to solve this issue? Searching Google, I found
several mentions of similar issues, but they were old (about one year ago) and
the proposed solution was to install app-portage/gemato-14.0. Of course, all
older versions of gemato aren't in portage anymore, so that can't be the
issue.

Does anyone have any suggestions on how to fix this issue?

Thanks in advance

Stefano
Ian Zimmerman
2019-07-19 16:30:02 UTC
Permalink
Post by Stefano Crocco
Hello to everyone,
since yesterday emerge --sync fails because it can't refresh keys. The
Syncing repository 'gentoo' into '/usr/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ !! ]
* Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP keyring
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
Perhaps something to do with this?

https://www.bleepingcomputer.com/news/security/public-certificate-poisoning-can-break-some-openpgp-implementations/

Aside:
I have already switched my personal gpg configuration to use the new
isolated keyserver.
--
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.
Stefano Crocco
2019-07-19 19:10:03 UTC
Permalink
Post by Ian Zimmerman
Post by Stefano Crocco
Hello to everyone,
since yesterday emerge --sync fails because it can't refresh keys. The
Syncing repository 'gentoo' into '/usr/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ !! ]
* Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP keyring
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
Perhaps something to do with this?
https://www.bleepingcomputer.com/news/security/public-certificate-poisoning->
can-break-some-openpgp-implementations/
Post by Ian Zimmerman
I have already switched my personal gpg configuration to use the new
isolated keyserver.
Thanks for the answer. I'd heard of this attack and read this [1] article on
gentoo.org. From what I understand, it said that in theory there shouldn't be
problems when syncing because "The gemato tool used to verify the Gentoo
ebuild repository uses WKD by default. During normal operation it should not
be affected by this vulnerability". Reading the article again, I now see it
also says that "In the worst case; Gentoo repository syncs will be slow or
hang" which, as you suggest, could very well be what's happened on my system.
Unfortunately, the article doesn't say what to do if this happens.

Tomorrow I'll try investigating more.

Stefano

[1] https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html
Stefano Crocco
2019-07-21 10:20:01 UTC
Permalink
Post by Ian Zimmerman
Post by Ian Zimmerman
Post by Stefano Crocco
Hello to everyone,
since yesterday emerge --sync fails because it can't refresh keys. The
Syncing repository 'gentoo' into '/usr/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ !! ]
* Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP keyring
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
Perhaps something to do with this?
https://www.bleepingcomputer.com/news/security/public-certificate-poisonin
g->
can-break-some-openpgp-implementations/
Post by Ian Zimmerman
I have already switched my personal gpg configuration to use the new
isolated keyserver.
Thanks for the answer. I'd heard of this attack and read this [1] article on
gentoo.org. From what I understand, it said that in theory there shouldn't
be problems when syncing because "The gemato tool used to verify the Gentoo
ebuild repository uses WKD by default. During normal operation it should
not be affected by this vulnerability". Reading the article again, I now
see it also says that "In the worst case; Gentoo repository syncs will be
slow or hang" which, as you suggest, could very well be what's happened on
my system. Unfortunately, the article doesn't say what to do if this
happens.
Tomorrow I'll try investigating more.
Stefano
[1] https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html
It seems I found out how to fix the issue. I tried comparing my
/usr/share/portage/config/repos.conf with the one which comes with a current
stage3 and found out mine had the line

sync-openpgp-keyserver = hkps://keys.gentoo.org

which was missing in the file from stage3. Removing it (both here and in
/etc/portage/repos.conf/gentoo.conf) allowed me to sync correctly. I hope this
is the correct fix. I don't remember ever writing this line, so I suppose it
came with the original stage3 I built my system from or was changed by another
update (an update of what, however? According to `equery b`, this file doesn't
belong to any package).

I hope thing will keep working.

Stefano
Mick
2019-07-21 10:50:02 UTC
Permalink
Post by Stefano Crocco
Post by Ian Zimmerman
Post by Ian Zimmerman
Post by Stefano Crocco
Hello to everyone,
since yesterday emerge --sync fails because it can't refresh keys. The
Syncing repository 'gentoo' into '/usr/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ !! ]
* Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP keyring
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
Perhaps something to do with this?
https://www.bleepingcomputer.com/news/security/public-certificate-poison
in
g->
can-break-some-openpgp-implementations/
Post by Ian Zimmerman
I have already switched my personal gpg configuration to use the new
isolated keyserver.
Thanks for the answer. I'd heard of this attack and read this [1] article
on gentoo.org. From what I understand, it said that in theory there
shouldn't be problems when syncing because "The gemato tool used to
verify the Gentoo ebuild repository uses WKD by default. During normal
operation it should not be affected by this vulnerability". Reading the
article again, I now see it also says that "In the worst case; Gentoo
repository syncs will be slow or hang" which, as you suggest, could very
well be what's happened on my system. Unfortunately, the article doesn't
say what to do if this happens.
Tomorrow I'll try investigating more.
Stefano
[1] https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html
It seems I found out how to fix the issue. I tried comparing my
/usr/share/portage/config/repos.conf with the one which comes with a current
stage3 and found out mine had the line
sync-openpgp-keyserver = hkps://keys.gentoo.org
which was missing in the file from stage3. Removing it (both here and in
/etc/portage/repos.conf/gentoo.conf) allowed me to sync correctly. I hope
this is the correct fix. I don't remember ever writing this line, so I
suppose it came with the original stage3 I built my system from or was
changed by another update (an update of what, however? According to `equery
b`, this file doesn't belong to any package).
I hope thing will keep working.
Stefano
I grepped two older installations I had immediate access to and there is no
directive containing "openpgp" anywhere within /etc/portage/.

In a new-ish installation there were a number of entries in /etc/portage/
repos.conf/gentoo.conf, but no keyserver URI:

$ grep openpgp -r /etc/portage/repos.conf/gentoo.conf
sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-release.asc
sync-openpgp-key-refresh-retry-count = 40
sync-openpgp-key-refresh-retry-overall-timeout = 1200
sync-openpgp-key-refresh-retry-delay-exp-base = 2
sync-openpgp-key-refresh-retry-delay-max = 60
sync-openpgp-key-refresh-retry-delay-mult = 4

Perhaps you had added a keyserver as a fall back when you were configuring
your system to use WKD? I haven't implemented WKD because there was no news
item advising us to do so.
--
Regards,

Mick
Stefano Crocco
2019-07-21 11:30:02 UTC
Permalink
Post by Mick
Post by Stefano Crocco
Post by Ian Zimmerman
Post by Ian Zimmerman
Post by Stefano Crocco
Hello to everyone,
since yesterday emerge --sync fails because it can't refresh keys. The
Syncing repository 'gentoo' into '/usr/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ !! ]
* Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP
keyring
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
Perhaps something to do with this?
https://www.bleepingcomputer.com/news/security/public-certificate-pois
on
in
g->
can-break-some-openpgp-implementations/
Post by Ian Zimmerman
I have already switched my personal gpg configuration to use the new
isolated keyserver.
Thanks for the answer. I'd heard of this attack and read this [1] article
on gentoo.org. From what I understand, it said that in theory there
shouldn't be problems when syncing because "The gemato tool used to
verify the Gentoo ebuild repository uses WKD by default. During normal
operation it should not be affected by this vulnerability". Reading the
article again, I now see it also says that "In the worst case; Gentoo
repository syncs will be slow or hang" which, as you suggest, could very
well be what's happened on my system. Unfortunately, the article doesn't
say what to do if this happens.
Tomorrow I'll try investigating more.
Stefano
[1] https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html
It seems I found out how to fix the issue. I tried comparing my
/usr/share/portage/config/repos.conf with the one which comes with a
current stage3 and found out mine had the line
sync-openpgp-keyserver = hkps://keys.gentoo.org
which was missing in the file from stage3. Removing it (both here and in
/etc/portage/repos.conf/gentoo.conf) allowed me to sync correctly. I hope
this is the correct fix. I don't remember ever writing this line, so I
suppose it came with the original stage3 I built my system from or was
changed by another update (an update of what, however? According to `equery
b`, this file doesn't belong to any package).
I hope thing will keep working.
Stefano
I grepped two older installations I had immediate access to and there is no
directive containing "openpgp" anywhere within /etc/portage/.
In a new-ish installation there were a number of entries in /etc/portage/
$ grep openpgp -r /etc/portage/repos.conf/gentoo.conf
sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-release.asc
sync-openpgp-key-refresh-retry-count = 40
sync-openpgp-key-refresh-retry-overall-timeout = 1200
sync-openpgp-key-refresh-retry-delay-exp-base = 2
sync-openpgp-key-refresh-retry-delay-max = 60
sync-openpgp-key-refresh-retry-delay-mult = 4
Perhaps you had added a keyserver as a fall back when you were configuring
your system to use WKD? I haven't implemented WKD because there was no news
item advising us to do so.
Maybe. I really know nothing about these issues, so I'm sure I wouldn't have
added that line by myself. Maybe I read about them somewhere and I forgot
about it.

Stefano
Stefano Crocco
2019-08-05 10:30:01 UTC
Permalink
Post by Stefano Crocco
Post by Mick
Post by Stefano Crocco
Post by Ian Zimmerman
Post by Ian Zimmerman
Post by Stefano Crocco
Hello to everyone,
since yesterday emerge --sync fails because it can't refresh keys. The
Syncing repository 'gentoo' into '/usr/portage'...
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
* Refreshing keys via WKD ... [ !! ]
* Refreshing keys from keyserver hkps://keys.gentoo.org ...OpenPGP
keyring
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
gpg: refreshing 4 keys from hkps://keys.gentoo.org
gpg: keyserver refresh failed: No keyserver available
Perhaps something to do with this?
https://www.bleepingcomputer.com/news/security/public-certificate-po
is
on
in
g->
can-break-some-openpgp-implementations/
Post by Ian Zimmerman
I have already switched my personal gpg configuration to use the new
isolated keyserver.
Thanks for the answer. I'd heard of this attack and read this [1] article
on gentoo.org. From what I understand, it said that in theory there
shouldn't be problems when syncing because "The gemato tool used to
verify the Gentoo ebuild repository uses WKD by default. During normal
operation it should not be affected by this vulnerability". Reading the
article again, I now see it also says that "In the worst case; Gentoo
repository syncs will be slow or hang" which, as you suggest, could very
well be what's happened on my system. Unfortunately, the article doesn't
say what to do if this happens.
Tomorrow I'll try investigating more.
Stefano
[1] https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html
It seems I found out how to fix the issue. I tried comparing my
/usr/share/portage/config/repos.conf with the one which comes with a
current stage3 and found out mine had the line
sync-openpgp-keyserver = hkps://keys.gentoo.org
which was missing in the file from stage3. Removing it (both here and in
/etc/portage/repos.conf/gentoo.conf) allowed me to sync correctly. I hope
this is the correct fix. I don't remember ever writing this line, so I
suppose it came with the original stage3 I built my system from or was
changed by another update (an update of what, however? According to `equery
b`, this file doesn't belong to any package).
I hope thing will keep working.
Stefano
I grepped two older installations I had immediate access to and there is no
directive containing "openpgp" anywhere within /etc/portage/.
In a new-ish installation there were a number of entries in /etc/portage/
$ grep openpgp -r /etc/portage/repos.conf/gentoo.conf
sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-release.asc
sync-openpgp-key-refresh-retry-count = 40
sync-openpgp-key-refresh-retry-overall-timeout = 1200
sync-openpgp-key-refresh-retry-delay-exp-base = 2
sync-openpgp-key-refresh-retry-delay-max = 60
sync-openpgp-key-refresh-retry-delay-mult = 4
Perhaps you had added a keyserver as a fall back when you were configuring
your system to use WKD? I haven't implemented WKD because there was no
news item advising us to do so.
Maybe. I really know nothing about these issues, so I'm sure I wouldn't have
added that line by myself. Maybe I read about them somewhere and I forgot
about it.
Stefano
If anyone is interested, I've found out a bit more about this issue. The
mysterious line

sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-release.asc

is the default in portage since version 2.3.69 (~arch). This means that the
problem suddenly reappeared the first time portage got updated. By chance, I'd
just bought a new laptop and had finished installing Gentoo on it the day
before. I tried syncing from it... and it worked. I was getting angry: on my
desktop and my old laptop emerge --sync didn't work; on my new laptop it did.
Of course, the three machines were configured almost in the same way, so I
couldn't understand what could be causing the difference.

Searching again on Google, I somehow found out the bug report [1], which says
that in the past gnupg --refresh-keys could fail if ipv6 was disabled. The bug
report is marked as resolved with the release of gnupg-2.2.4-r2 last year;
however, I knew that on my new laptop I had left ipv6 enabled while on the
other two machines I had disabled it (I can't remember why, but disabling ipv6
is usually one of the first things I do on a new system). Could this be a
coincidence? I immediately rebuilt the kernel on my desktop PC with ipv6
enabled, rebooted, tried to sync, and it worked. Just to be sure, I disabled
it again, and it stopped working.

At this point, I think I'll file a bug report and see what they say.

Stefano

[1] https://bugs.gentoo.org/646194

Loading...