Portage Security

Ensuring the security of your portage tree
WIP: this is a work in progress.

This page aims to answer the question "How can I dispel doubts regarding the security of the portage tree on my system?", that is, to ensure that the portage tree is a direct result of the canonical git repos, without outside interference.

This question is answered differently whether you use webrsync, rsync, git-mirror or canonical git repos directly.

webrsync
Whenever you run, the downloaded tarball is always checked against gentoo release keys which are provided by app-crypt/gentoo-keys.

The only caveat is that this method doesn't do further checking after having unpacked the tarball so if your portage tree was compromised before the webrsync, it's possible that it's still compromised. If you're not sure about the state of your portage tree, wipe it out before doing.

What do I need to do?
You need to enable the feature as explained in the handbook

How can I dispel doubt?
Seeing "Checking signature..." should be enough to dispel your doubts. You can also read the contents of `/usr/bin/emerge-webrsync` which is small enough to be easily audited.

If you're in hardcore mode, you'll have to set yourself a man-in-the-middle attack and check that verification fails.

What do I need to trust?

 * 1) that the Gentoo's release keys haven't been compromised.
 * 2) that the content on the file that  point to in app-crypt/gentoo-keys is actually the Gentoo release keys

rsync
Since portage 2.3.21, portage supports recursive signed manifests checking.