Improved build-time file signatures verification security

Separated unrelated keyrings.
Each file is now verified using keys from the relevant keyring only.
Keyrings are verified to contain the necessary keys only (MITM protection).

Removed dependence on support.mayfirst.org, which has no mirrors -
mfpl.crt certificate has been added to the source tree instead:

openssl x509 -in conf/certs/mfpl.crt -noout -fingerprint -sha256
SHA256 Fingerprint=5D:39:5F:00:61:46:E1:A7:1D:F8:F3:8E:CA:17:F4:AD
                  :2D:B0:91:F4:31:C9:5B:EC:F0:72:A5:E8:D5:F8:1C:A7

gpg: Signature made Wed 28 Sep 2011 01:40:08 MSD
gpg:                using RSA key 0xBB0B7EE15F2E4935
gpg: Good signature from "Jamie McClelland <jamie@mayfirst.org>"
gpg:                 aka "Jamie McClelland <jm@mayfirst.org>"
gpg:                 aka "Jamie McClelland <jamie@progressivetech.org>"
Primary key fingerprint: 1CB5 7C59 F2F4 2470 238F  53AB BB0B 7EE1 5F2E 4935

gpg: Signature made Mon 12 Jan 2009 21:07:51 MSK
gpg:                using RSA key 0xCCD2ED94D21739E9
gpg: Good signature from "Daniel Kahn Gillmor <dkg@fifthhorseman.net>"
gpg:                 aka "Daniel Kahn Gillmor <dkg@debian.org>"
gpg:                 aka "Daniel Kahn Gillmor <dkg@openflows.com>"
gpg:                 aka "[jpeg image of size 3515]"
Primary key fingerprint: 0EE5 BE97 9282 D80B 9F75  40F1 CCD2 ED94 D217 39E9

conf/certs/mfpl.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjTCCAvagAwIBAgIJANhg2/WVrETtMA0GCSqGSIb3DQEBBQUAMIGMMR4wHAYD
+VQQKExVNYXkgRmlyc3QvUGVvcGxlIExpbmsxIDAeBgkqhkiG9w0BCQEWEWluZm9A
+bWF5Zmlyc3Qub3JnMREwDwYDVQQHEwhOZXcgWW9yazERMA8GA1UECBMITmV3IFlv
+cmsxCzAJBgNVBAYTAlVTMRUwEwYDVQQDEwxNRlBMIFJvb3QgQ0EwHhcNMDkwMTEy
+MTYyNjU3WhcNMTkwMTEwMTYyNjU3WjCBjDEeMBwGA1UEChMVTWF5IEZpcnN0L1Bl
+b3BsZSBMaW5rMSAwHgYJKoZIhvcNAQkBFhFpbmZvQG1heWZpcnN0Lm9yZzERMA8G
+A1UEBxMITmV3IFlvcmsxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYDVQQGEwJVUzEV
+MBMGA1UEAxMMTUZQTCBSb290IENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+gQDQgYTGNjAJADudHV2MZ1QJQdf3YAMB1g/buR9ADsoTzM3vKWzXBvgoC6CFrojw
+RNbVtgU3A9aetLxaWJuBSqqREub+HyZvzD14tP90hq10YthtXoCtjhs6C/mEqckk
+LCGdTZ/lsIiM8tSdoE/OFQNRqk81A4lHgyumHlw3wnVICQIDAQABo4H0MIHxMAwG
+A1UdEwQFMAMBAf8wHQYDVR0OBBYEFHzhAs1Q0Pu6lbptL6VlnVVTDni0MIHBBgNV
+HSMEgbkwgbaAFHzhAs1Q0Pu6lbptL6VlnVVTDni0oYGSpIGPMIGMMR4wHAYDVQQK
+ExVNYXkgRmlyc3QvUGVvcGxlIExpbmsxIDAeBgkqhkiG9w0BCQEWEWluZm9AbWF5
+Zmlyc3Qub3JnMREwDwYDVQQHEwhOZXcgWW9yazERMA8GA1UECBMITmV3IFlvcmsx
+CzAJBgNVBAYTAlVTMRUwEwYDVQQDEwxNRlBMIFJvb3QgQ0GCCQDYYNv1laxE7TAN
+BgkqhkiG9w0BAQUFAAOBgQA8kagGZR+Tp6GRyQWYlcNW9xVYza/xPZhPY4dVYUtv
+Czcw5N1mB0R444c4jhVLIrPWUjcpz46akXXHMGpcIsX/rNetbLCtcE9/AuB+Xg1K
+Fwr/SXkZXVK1vIppXmV0ZBaIB/tRV/SozcGRN/D9ETYX4JhBZU6OXPxNVjp5dvlH
+vQ==
+-----END CERTIFICATE-----

conf/pubkeys

@@ -13,13 +13,3 @@ gentoo:   13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
 
 # Gentoo Portage Snapshot Signing Key (Automated Signing Key)
 gentoo:   AE54 54F9 67B5 6AB0 9AE1  6064 0838 C26E 239C 75C4
-
-
-# HKPS CA certificate signatures
-# http://zimmermann.mayfirst.org/
-
-# Jamie McClelland <jm@mayfirst.org>
-mayfirst: 1CB5 7C59 F2F4 2470 238F  53AB BB0B 7EE1 5F2E 4935
-
-# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-mayfirst: 0EE5 BE97 9282 D80B 9F75  40F1 CCD2 ED94 D217 39E9

mkroot

@@ -27,8 +27,6 @@ portage=${MIRROR}/snapshots/portage-latest.tar.bz2
 gpg_wwwserver='https://zimmermann.mayfirst.org/pks/lookup?op=get&search=0x${fpr}'
 gpg_keys=`sed '/^#/d; /^$/d; s/ //g' ${FROM}/conf/pubkeys`
 
-mfpl=https://support.mayfirst.org/raw-attachment/wiki/mfpl_certificate_authority/mfpl.crt
-
 
 # Copying and pruning
 if [ "$2" = copy ]; then
@@ -121,13 +119,9 @@ if [ "$2" = fresh  -o  ! -d ${LIVECD}/src ]; then
     wget -N -nv -P ${LIVECD}/mirror/portage ${portage}.gpgsig ${portage}
 
 
-    sinfo "Downloading HKPS CA certificate"
-    wget -N -q  -P ${LIVECD}/mirror/keys --no-check-certificate ${mfpl}
-    wget -N -nv -P ${LIVECD}/mirror/keys --ca-certificate=${LIVECD}/mirror/keys/mfpl.crt \
-        ${mfpl}.jamie.asc ${mfpl}.dkg.asc
-
-
     sinfo "Fetching PGP public keys and verifying fingerprints"
+    cp ${FROM}/conf/certs/mfpl.crt ${LIVECD}/mirror/keys
+
     for key in ${gpg_keys}; do
         org=`echo ${key} | cut -d: -f1`
         fpr=`echo ${key} | cut -d: -f2`
@@ -139,9 +133,11 @@ if [ "$2" = fresh  -o  ! -d ${LIVECD}/src ]; then
         fi
 
         if type gpg 1>/dev/null 2>&1; then
-            gpg -q --homedir ${LIVECD}/mirror/gnupg --import ${LIVECD}/mirror/keys/${org}-${keyid}.asc
+            gpg -q --homedir ${LIVECD}/mirror/gnupg --no-default-keyring \
+                --keyring ${org}.gpg --import ${LIVECD}/mirror/keys/${org}-${keyid}.asc
 
-            fpr2=`gpg -q --homedir ${LIVECD}/mirror/gnupg --fingerprint --with-colons 0x${fpr} | grep '^fpr:' | cut -d: -f 10`
+            fpr2=`gpg -q --homedir ${LIVECD}/mirror/gnupg --keyring ${org}.gpg \
+                      --fingerprint --with-colons 0x${fpr} | sed -n '/^fpr:/p' | cut -d: -f10`
             if [ ${fpr} != "${fpr2}" ]; then
                 echo "Fingerprint mismatch: [${fpr}] != [${fpr2}]"
                 exit 1
@@ -153,21 +149,25 @@ if [ "$2" = fresh  -o  ! -d ${LIVECD}/src ]; then
 
 
     if type gpg 1>/dev/null 2>&1; then
+        sinfo "Verifying keyrings"
+        for keyring in `echo "${gpg_keys}" | cut -d: -f1 | sort -u`; do
+            keyids=`gpg -q -k --homedir ${LIVECD}/mirror/gnupg --keyring ${keyring}.gpg \
+                        --fingerprint --with-colons | sed -n '/^fpr:/p' | cut -d: -f10 | sort`
+            expids=`echo "${gpg_keys}" | sed -n "/^${keyring}:/p" | cut -d: -f2 | sort`
+
+            if [ "${keyids}" != "${expids}" ]; then
+                echo "Unexpected public keys in keyring ${keyring}.gpg"
+                exit 1
+            fi
+        done
+
+
         sinfo "Verifying stage3 and portage PGP signatures"
-        gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always \
+        gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always --keyring gentoo.gpg \
             --verify ${LIVECD}/mirror/stage3/${stage3file}.DIGESTS.asc
-        gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always        \
+        gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always --keyring gentoo.gpg \
             --verify ${LIVECD}/mirror/portage/portage-latest.tar.bz2.gpgsig \
                      ${LIVECD}/mirror/portage/portage-latest.tar.bz2
-
-
-        sinfo "Verifying HKPS CA certificate"
-        gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always \
-            --verify ${LIVECD}/mirror/keys/mfpl.crt.jamie.asc        \
-                     ${LIVECD}/mirror/keys/mfpl.crt
-        gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always \
-            --verify ${LIVECD}/mirror/keys/mfpl.crt.dkg.asc          \
-                     ${LIVECD}/mirror/keys/mfpl.crt
     else
         sinfo "*** No GnuPG, skipping stage3, portage and HKPS CA certificate verification"
     fi

src/root/setup

@@ -480,7 +480,6 @@ sed -i 's/^#\?\(ENCRYPT_METHOD\) .*/\1 SHA256/' /etc/login.defs
 pwconv
 pwck -qr
 
-groupdel smmsp || [ $? = 6 ]
 grpck -r
 grpconv
 
@@ -508,12 +507,10 @@ done
 
 
 sinfo "Initializing a secondary PGP keyring"
-sudo -n -u anon touch     /home/anon/persist/security/pgp/liberte.gpg
-sudo -n -u anon chmod 600 /home/anon/persist/security/pgp/liberte.gpg
-sudo -n -u anon gpg -q --homedir /home/anon/persist/security/pgp \
-    --primary-keyring liberte.gpg --import /usr/local/addons/keys/liberte-*.asc
-sudo -n -u anon cp -p /usr/local/addons/keys/mfpl.crt /home/anon/persist/security/pgp
-sudo -n -u anon chmod 600 /home/anon/persist/security/pgp/mfpl.crt
+sudo -n -u anon gpg -q --homedir /home/anon/persist/security/pgp --no-default-keyring \
+    --keyring liberte.gpg --import /usr/local/addons/keys/liberte-*.asc
+install -p -o anon -g legion -m 600 -t /home/anon/persist/security/pgp \
+    /usr/local/addons/keys/mfpl.crt
 
 # clear pam_mktemp's append-only attribute to allow later livecd directory removal
 chattr -f -a /tmp/.private || true