[gentoo-commits] proj/portage:master commit in: man/, lib/portage/sync/, lib/portage/repository/

Sam James Sat, 01 Nov 2025 02:49:39 -0700

commit:     dd76020b2f921387afee7f71c9f4f5edd4fe5c2b
Author:     Florian Schmaus <flow <AT> gentoo <DOT> org>
AuthorDate: Tue Oct  7 16:26:14 2025 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Nov  1 09:48:39 2025 +0000
URL:        https://gitweb.gentoo.org/proj/portage.git/commit/?id=dd76020b


repository: add more sync-openpgp-key-refresh options

Make sync-openpgp-key-refresh accept the following three more options:

- wkd
- keyserver
- false-nowarn

This allows more control over how the refresh should be performed. For
example, when syncing raw ::gentoo we probably don't want to refresh
via wkd, as not all keys that could appear on the top commit are
available via wkd.

Bug: https://bugs.gentoo.org/661518
Signed-off-by: Florian Schmaus <flow <AT> gentoo.org>
Part-of: https://github.com/gentoo/portage/pull/1474
Signed-off-by: Sam James <sam <AT> gentoo.org>

 lib/portage/repository/config.py | 28 ++++++++++++++++++++++++----
 lib/portage/sync/syncbase.py     | 15 +++++++++------
 man/portage.5                    | 21 ++++++++++++++++++++-
 3 files changed, 53 insertions(+), 11 deletions(-)

diff --git a/lib/portage/repository/config.py b/lib/portage/repository/config.py
index 46a2d83856..8de7987745 100644
--- a/lib/portage/repository/config.py
+++ b/lib/portage/repository/config.py
@@ -269,9 +269,27 @@ class RepoConfig:
 
         self.sync_openpgp_key_path = repo_opts.get("sync-openpgp-key-path", 
None)
 
-        self.sync_openpgp_key_refresh = repo_opts.get(
+        sync_openpgp_key_refresh = repo_opts.get(
             "sync-openpgp-key-refresh", "true"
-        ).lower() in ("true", "yes")
+        ).lower()
+        if sync_openpgp_key_refresh == "yes":
+            sync_openpgp_key_refresh = "true"
+        elif sync_openpgp_key_refresh == "no":
+            sync_openpgp_key_refresh = "false"
+        elif sync_openpgp_key_refresh not in (
+            "true",
+            "false",
+            "wkd",
+            "keyserver",
+            "false-nowarn",
+        ):
+            writemsg(
+                f"!!! Invalid sync-openpgpg-key-refresh setting for repo 
{name}: {sync_openpgp_key_refresh}\n",
+                noiselevel=-1,
+            )
+            sync_openpgp_key_refresh = "true"
+
+        self.sync_openpgp_key_refresh = sync_openpgp_key_refresh
 
         for k in (
             "sync_openpgp_key_refresh_retry_count",
@@ -596,8 +614,10 @@ class RepoConfig:
             repo_msg.append(indent + "location: " + self.location)
         if not self.strict_misc_digests:
             repo_msg.append(indent + "strict-misc-digests: false")
-        if not self.sync_openpgp_key_refresh:
-            repo_msg.append(indent + "sync-openpgp-key-refresh: no")
+        if self.sync_openpgp_key_refresh != "true":
+            repo_msg.append(
+                indent + "sync-openpgp-key-refresh: " + 
self.sync_openpgp_key_refresh
+            )
         if self.sync_type:
             repo_msg.append(indent + "sync-type: " + self.sync_type)
         if self.sync_umask:

diff --git a/lib/portage/sync/syncbase.py b/lib/portage/sync/syncbase.py
index c3a07da7d7..fecfc00690 100644
--- a/lib/portage/sync/syncbase.py
+++ b/lib/portage/sync/syncbase.py
@@ -272,7 +272,9 @@ class SyncBase:
             quiet=("--quiet" in self.options["emerge_config"].opts)
         )
 
-        if not self.repo.sync_openpgp_key_refresh:
+        if self.repo.sync_openpgp_key_refresh == "false-nowarn":
+            return
+        elif self.repo.sync_openpgp_key_refresh == "false":
             out.ewarn(
                 "Key refresh is disabled via a repos.conf 
sync-openpgp-key-refresh"
             )
@@ -282,11 +284,12 @@ class SyncBase:
             out.ewarn("detection of revoked keys!")
             return
 
-        out.ebegin("Refreshing keys via WKD")
-        if openpgp_env.refresh_keys_wkd():
-            out.eend(0)
-            return
-        out.eend(1)
+        if self.repo.sync_openpgp_key_refresh in ("true", "wkd"):
+            out.ebegin("Refreshing keys via WKD")
+            if openpgp_env.refresh_keys_wkd():
+                out.eend(0)
+                return
+            out.eend(1)
 
         out.ebegin(
             "Refreshing keys from keyserver{}".format(

diff --git a/man/portage.5 b/man/portage.5
index 37572da5e2..d7b2063e0f 100644
--- a/man/portage.5
+++ b/man/portage.5
@@ -1217,9 +1217,28 @@ only for protocols supporting cryptographic 
verification, provided
 that the respective verification option is enabled. If unset, the user's
 keyring is used.
 .TP
-.B sync\-openpgp\-key\-refresh = yes
+.B sync\-openpgp\-key\-refresh = yes|true|wkd|keyserver|no|false|false-nowarn
 Enable OpenPGP key(ring) refresh. This option is enabled by default.
 
+The refresh method is determined by the value:
+.RS
+.TP
+\fIyes\fR (\fItrue\fR)
+Attempt refresh first via WKD (Web Key Directory), with a fallback to the 
configured keyserver. (Default)
+.TP
+\fIwkd\fR
+Refresh keys using WKD only.
+.TP
+\fIkeyserver\fR
+Refresh keys using the configured keyserver only.
+.TP
+\fIno\fR (\fIfalse\fR)
+Disable refresh and emit a warning about the security impact.
+.TP
+\fIfalse\-nowarn\fR
+Disable refresh without emitting a warning.
+.RE
+
 \fBWarning\fR: It is a security vulnerability to disable this option
 because this will prevent detection of revoked keys!

[gentoo-commits] proj/portage:master commit in: man/, lib/portage/sync/, lib/portage/repository/

Reply via email to