# [SOLVED] sks-key-poisoning news

## xanderal

Hi,

sorry, just want to make sure I understand this correctly: https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html

As far as I understand this I've got nothing to worry about and can just emerge --sync, correct?

This is my /etc/portage/repos.conf:

```
[DEFAULT]

main-repo = gentoo

sync-allow-hardlinks = yes

[gentoo]

location = /usr/portage

#sync-type = webrsync

sync-type = rsync

sync-uri = rsync://rsync.gentoo.org/gentoo-portage

sync-webrsync-verify-signature = true

auto-sync = yes

sync-rsync-verify-jobs = 1

sync-rsync-verify-metamanifest = yes

sync-rsync-verify-max-age = 24

sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-release.asc

sync-openpgp-key-refresh-retry-count = 40

sync-openpgp-key-refresh-retry-overall-timeout = 1200

sync-openpgp-key-refresh-retry-delay-exp-base = 2

sync-openpgp-key-refresh-retry-delay-max = 60

sync-openpgp-key-refresh-retry-delay-mult = 4

# for daily squashfs snapshots

#sync-type = squashdelta

#sync-uri = mirror://gentoo/../snapshots/squashfs
```

But then there is that part at the end:

 *https://www.gentoo.org/news/2019/07/03/sks-key-poisoning.html wrote:*   

> The webrsync and delta-webrsync methods also support gemato, although it is not used by default at the moment. In order to use it, you need to remove PORTAGE_GPG_DIR from /etc/portage/make.conf (if it present) and put the following values into /etc/portage/repos.conf:
> 
> ```
> [gentoo]
> 
> ...

 

Should I do that now or should I just wait for the next portage version or emerge-webrsync or what?

Sorry, usually I have no problem understanding news like that but that article just confuses me...

Thanks in advance.Last edited by xanderal on Wed Jul 17, 2019 5:50 pm; edited 1 time in total

----------

## NeddySeagoon

xanderal,

Its safe to do it now and it prevents you from picking up a poisoned key if Gentoo distro keys were attacked.

----------

## xanderal

 *NeddySeagoon wrote:*   

> xanderal,
> 
> Its safe to do it now and it prevents you from picking up a poisoned key if Gentoo distro keys were attacked.

 

Ok, got to be real nooby here and ask for clarification: What is "it"?

emerge --sync?

emerge-webrsync?

change of repos.conf and then emerge --sync?

----------

## NeddySeagoon

xanderal,

It changes how Gentoo keys are delivered to you.

Make the configuration change, then nothing.

Next time you use either webrsync or delta-webrsync, it will use the gemato distributed keys.

If you use neither webrsync or delta-webrsync, there is noting you need do.

----------

## xanderal

Ok, just in case anyone else wants to know:

Just synced with 'emerge --sync' without changing the config, everything worked well, update afterwards, too.

So, thanks NeddySeagoon again  :Wink: 

----------

## mrbassie

I'm getting the following output from emerge --sync 

```
gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]

gpg:                 aka "Gentoo ebuild repository signing key (Automated Signing Key) <infrastructure@gentoo.org>" [unknown]

gpg: WARNING: Using untrusted key!
```

Should I be concerned?

----------

