Manifest

Generating the Manifest

In the tree, every package has a Manifest file. This file lives in the same directory as the ebuilds for the package. The Manifest file contains digests (currently RMD160, SHA1, SHA256, SHA512 and WHIRLPOOL) and file size data for every file in the directory and any subdirectories. This is used to verify integrity. The Manifest may also be digitally signed.

To generate the Manifest, use ebuild foo.ebuild manifest. When committing, the Manifest file must be regenerated to handle any changes — repoman will do this automatically.

Signing the Manifest using your GPG key

Requirements:

• >=sys-apps/portage-2.0.51_pre10
• >=app-crypt/gnupg-1.2.4

Key Setup:

• Create a new DSA GnuPG key with at least a 1024 bit keylength, an expiration period no longer than 6 months and a good passphrase.
• Upload the key to a keyserver.

Portage Configuration:

• Set PORTAGE_GPG_DIR to your ~/.gnupg/ directory (or the directory where the keyring with your new key is).
• Set PORTAGE_GPG_KEY to the key id of your new key.
• Set FEATURES="sign".

Now you should be able to sign your Manifests on repoman commit. Repoman will ask you for your passphrase before committing the Manifest. This step is after it has committed the other files. At the moment repoman doesn't check if the Manifest is already signed, so others are able to "unsign" your package later. This will change before signing is made mandatory.