Repository format/package/Manifest

Manifest is Article description::a file containing checksums for files in the [[ebuild directory.]]

A Manifest can be generated by running the following command:

Or by using the following command:

File format
The Manifest2 file is a plain text file. Each line of the file has the following format:

    [  ...]


 * type
 * The type of the particular file. This could be:


 * EBUILD
 * An ebuild file
 * MISC
 * Another file in the ebuild directory
 * AUX
 * A file in the files/ subdirectory
 * DIST
 * A distfile — a file fetched as sources by the ebuild


 * filename
 * The name of the file.


 * size
 * The size of the file as decimal number, in bytes.


 * hash-type
 * The type of hash in the following field.


 * hash
 * The checksum of the file as hexadecimal number, of type specified by .

Hash types
The hashes currently supported by Portage include:


 * MD5
 * SHA1
 * SHA256 (SHA-2)
 * SHA512 (SHA-2)
 * SHA256 (SHA-3)
 * SHA512 (SHA-3)
 * RMD160 (RIPEMD)
 * BLAKE2S
 * BLAKE2B
 * WHIRLPOOL

On November 12th, 2017, The Council has approved the manifest-hashes switch.

According to this plan, BLAKE2B will be enabled on 2017-11-21. This means that starting at this time, all new and updated DIST entries in the Gentoo ebuild repository will use BLAKE2B+SHA512. Old DIST entries will still use the old (SHA256+SHA512+WHIRLPOOL) hash set until updated.

Thin Manifest
A thin manifest is a manifest file in which checksums are stored only for distfiles (DIST type) and not for files inside the repository. The motivation for that is whenever the repository is fetched through a VCS which ensures local file integrity already.

Thin manifests are enabled in a repository through thin-manifests entry of layout.conf.

Manifest signing
A Manifest file may contain a PGP signature which can be used to verify the authenticity of hash entries (and thus all files listed in the Manifest). The OpenPGP ASCII armored message format is used for the Manifest file then.

The Manifest signing is enabled by default if portage has a GPG key set. It can be disabled explicitly for a repository through sign-manifests entry of.

Recursive signed Manifests (rsync)
See Project:Portage/Repository_Verification