Gemato

From Gentoo Wiki
Jump to: navigation, search

Gemato (Gentoo Manifest Tool) is a stand-alone utility to verify and update Manifest files distributed in the Gentoo ebuild repository.

Installation

USE flags

USE flags for app-portage/gemato Stand-alone Manifest generation & verification tool

gpg Install dependencies needed for OpenPGP signature verification support
test Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
tools Install additional utilities (benchmarks, hash testing tools, fast Manifest generators) to /usr/share/gemato.

Usage

Invocation

user $gemato --help
usage: /usr/lib/python-exec/python3.7/gemato [-h]
                                             {verify,update,create,hash,openpgp-verify}
                                             ...

Gentoo Manifest Tool

positional arguments:
  {verify,update,create,hash,openpgp-verify}
    verify              Verify one or more directories against Manifests
    update              Update the Manifest entries for one or more directory
                        trees
    create              Create a Manifest tree starting at the specified file
    hash                Generate hashes for specified file(s) and/or stdin
    openpgp-verify      Verify OpenPGP signatures embedded in specified
                        file(s) and/or stdin

optional arguments:
  -h, --help            show this help message and exit

Verifying the Gentoo ebuild repository

To manually verify the main ebuild repository:

user $gemato verify -K /usr/share/openpgp-keys/gentoo-release.asc /var/db/repos/gentoo
INFO:root:Refreshing keys...
INFO:root:Keys refreshed.
INFO:root:Manifest timestamp: 2020-05-25 00:38:25 UTC
INFO:root:Valid OpenPGP signature found:
INFO:root:- primary key: DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
INFO:root:- subkey: E1D6ABB63BFCFB4BA02FDF1CEC590EEAC9189250
INFO:root:- timestamp: 2020-05-25 00:38:25 UTC
INFO:root:Verifying /var/db/repos/gentoo...
INFO:root:/var/db/repos/gentoo verified in 36.65 seconds

If the command exits with "verified" message, then the repository integrity has been successfully confirmed as valid.

Removal

Gemato should never be removed from the system since it is necessary for correct operation of Portage.

See also

  • Project:Portage/Repository verification — describes different methods used to ensure authenticity of the Gentoo ebuild repository.
  • Portage Security — aims to answer the question "How can I dispel doubts regarding the security of the Gentoo ebuild repository on a system?"