The Manifest is a file containing checksums for files in the ebuild directory.
A Manifest can be generated by running:
The Manifest2 file is a plain text file. Each line of the file has the following format:
<type> <filename> <size> <hash-type> <hash> [<hash-type> <hash> ...]
- The type of the particular file. This could be:
- An ebuild file
- Another file in the ebuild directory
- A file in the files/ subdirectory
- A distfile — a file fetched as sources by the ebuild
- The name of the file.
- The size of the file as decimal number, in bytes.
- The type of hash in the following field.
- The checksum of the file as hexadecimal number, of type specified by <hash-type>.
The hashes currently supported by portage are:
- SHA256 (SHA-2),
- SHA512 (SHA-2),
- RMD160 (RIPEMD),
As of Jul 3rd, 2012 hashes currently used in gentoo repository are: RMD160, SHA1 and SHA256.
On Jul 4th, 2012 the used hashes will change to: SHA1, SHA256 and WHIRLPOOL (source: gentoo-dev-announce: New Manifest hashes).
A Thin Manifest is a Manifest file in which checksums are stored only for distfiles (DIST type) and not for files inside the repository. The motivation for that is whenever the repository is fetched through a VCS which ensures local file integrity already.
Thin Manifests are enabled in a repository through thin-manifests entry of layout.conf.
A Manifest file may contain a PGP signature which can be used to verify the authenticity of hash entries (and thus all files listed in the Manifest). The OpenPGP ASCII armored message format is used for the Manifest file then.
The Manifest signing is enabled by default if portage has a GPG key set. It can be disabled explicitly for a repository through sign-manifests entry of layout.conf.