rsync: Verify the Manifest signature even if tree is unchanged

Always verify the Manifest signature if verification is enabled.
Skipping the deep tree verification for unchanged case is reasonable
but we need to make sure the Manifest signature stays valid to catch
the case of the signing key being revoked.

Reviewed-by: Zac Medico <zmedico@gentoo.org>

1 files changed, 9 insertions, 4 deletions

diff --git a/pym/portage/sync/modules/rsync/rsync.py b/pym/portage/sync/modules/rsync/rsync.py
index 39c4066d8..e6e218868 100644
--- a/pym/portage/sync/modules/rsync/rsync.py
+++ b/pym/portage/sync/modules/rsync/rsync.py
@@ -292,7 +292,7 @@ class RsyncSync(NewBase):
 		self._process_exitcode(exitcode, dosyncuri, out, maxretries)
 
 		# if synced successfully, verify now
-		if exitcode == 0 and not local_state_unchanged and self.verify_metamanifest:
+		if exitcode == 0 and self.verify_metamanifest:
 			if gemato is None:
 				writemsg_level("!!! Unable to verify: gemato-11.0+ is required\n",
 					level=logging.ERROR, noiselevel=-1)
@@ -315,6 +315,8 @@ class RsyncSync(NewBase):
 							openpgp_env.refresh_keys()
 							out.eend(0)
 
+						# we always verify the Manifest signature, in case
+						# we had to deal with key revocation case
 						m = gemato.recursiveloader.ManifestRecursiveLoader(
 								os.path.join(self.repo.location, 'Manifest'),
 								verify_openpgp=True,
@@ -336,9 +338,12 @@ class RsyncSync(NewBase):
 						out.einfo('- timestamp: %s UTC' % (
 							m.openpgp_signature.timestamp))
 
-						out.ebegin('Verifying %s' % (self.repo.location,))
-						m.assert_directory_verifies()
-						out.eend(0)
+						# if nothing has changed, skip the actual Manifest
+						# verification
+						if not local_state_unchanged:
+							out.ebegin('Verifying %s' % (self.repo.location,))
+							m.assert_directory_verifies()
+							out.eend(0)
 				except GematoException as e:
 					writemsg_level("!!! Manifest verification failed:\n%s\n"
 							% (e,),