Project:Portage/Repository verification

This page describes differnet methods used to ensure authenticity of the Gentoo repository checkout.

How does it work?
The verification starts at the top-level Manifest, that is a file located in root directory of the ebuild repository. This file must contain a valid OpenPGP signature which is verified before any other file is read from the repository. If the signature passes verification, the Manifest tree is read recursively.

Each Manifest file specifies checksums for other data and/or Manifest files. The file is verified against those checksums before it can be used. The tooling also verifies that there are no stray files that are not listed in any of the Manifests but could influence the package manager behavior.