Repository format/package/Manifest

From Gentoo Wiki
Jump to:navigation Jump to:search

Manifest is a file containing checksums for files in the ebuild directory.

A Manifest can be generated by running the following ebuild command:

user $ebuild <ebuild> manifest

Or by using the following pkgdev command:

user $pkgdev manifest

File format

The Manifest2 file is a plain text file. Each line of the file has the following format:

<type> <filename> <size> <hash-type> <hash> [<hash-type> <hash> ...]
The type of the particular file. This could be:
An ebuild file
Another file in the ebuild directory
A file in the files/ subdirectory
A distfile — a file fetched as sources by the ebuild
The name of the file.
The size of the file as decimal number, in bytes.
The type of hash in the following field.
The checksum of the file as hexadecimal number, of type specified by <hash-type>.
FILE Manifestan example Manifest file (fragment of app-arch/gzip)
AUX gzip-1.4-no-gets.patch 779 RMD160 5d6fbfe2fe1e26587d542f18a2a85c6073b45251 SHA1 fa6cff43349c853657ded4ed3459737fb1047c56
DIST gzip-1.4.tar.gz 907411 RMD160 a74f782960387e3f05373acc258becb564eda82d SHA1 1d398dac6a7920a7de6e2685fe472a840eb2ce6e
DIST gzip-1.5.tar.xz 720956 RMD160 bffba2488ac06b314072cb51f131e021970667c7 SHA1 473aaac6a48445221fd5b03fde52f0236c7486ab
EBUILD gzip-1.4.ebuild 1357 RMD160 c86a4a719eca63708025b98427c15057b0620729 SHA1 54e7566134aa06bfb3fece4dafc0ea5dfb08052f
EBUILD gzip-1.5.ebuild 1282 RMD160 9d98f7e17a8a9fe82f07d11ae13aca2b4565468b SHA1 52314555b6904123381998a69e464c64f91c50ad
MISC ChangeLog 16327 RMD160 9276ad20a77f2ac3e63a0e6fb8a7d16db9bef59f SHA1 8d4c6637c0d774502d58d1966a22bbaee19fd950
MISC metadata.xml 258 RMD160 fb52cbd38f7a8c9d7fee81f2db5dde7e3b17e045 SHA1 27fbcb42e87ac32af5f2a864ffc330b23b7b9f70

Hash types

The hashes currently supported by Portage include:

  • MD5
  • SHA1
  • SHA256 (SHA-2)
  • SHA512 (SHA-2)
  • SHA256 (SHA-3)
  • SHA512 (SHA-3)
  • RMD160 (RIPEMD) (strongly discouraged)
  • WHIRLPOOL (strongly discouraged)

On November 12th, 2017, The Council has approved the manifest-hashes switch.

According to this plan, BLAKE2B will be enabled on 2017-11-21. This means that starting at this time, all new and updated DIST entries in the Gentoo ebuild repository will use BLAKE2B+SHA512. Old DIST entries will still use the old (SHA256+SHA512+WHIRLPOOL) hash set until updated.[1]

Thin manifest

A thin manifest is a manifest file in which checksums are stored only for distfiles (DIST type) and not for files inside the repository. The motivation for that is whenever the repository is fetched through a VCS which ensures local file integrity already.

Thin manifests are enabled in a repository through thin-manifests entry in the layout.conf file.

Manifest signing

A Manifest file may contain a PGP signature which can be used to verify the authenticity of hash entries (and thus all files listed in the Manifest). The OpenPGP ASCII armored message format is used for the Manifest file then.

FILE Manifestan example signed Manifest
Hash: SHA1

AUX udept.default-use.patch 902 RMD160 81c2fd8bbc2e8f8510d8cc7736118d82c23df0b5 SHA1 e65dd184924666a1de68c7a41d5ec77b436def57 SHA256 cc00de45cf39325ec2754dc9e2670a09eaf9244e7bc1fe5f3dda088c571ac961
DIST udept- 89028 RMD160 bd4b8bbc40fa5b57f694eb79125d8ca2fbd2c33c SHA1 90951248d900d0848e65f3928d1c27b3a4c3e00e SHA256 c5a8cea71b802c63b2aaf9aeefb4bc377a8f927f8291027f5d03a2cf2673bb9a
EBUILD udept- 884 RMD160 eec330cccb55c6e715494d2aa37f29a9b357e404 SHA1 056b8a11e3c603b24b0ad53d43b225411f7cc278 SHA256 72e51e5e81e4809565ce26e8ac96715a4972090a8a7042f7c324fd314ded54fd
MISC ChangeLog 2658 RMD160 7f987c4fb22756cae2d83d976aa54398a3b3460d SHA1 0177f104fc6030200453dca796fe60bc60fbd0a8 SHA256 b869ec000e2716d0e9398fed9b6a1f0e0995872115e6a5f11f5fb89bd940cfb5
MISC metadata.xml 390 RMD160 c8d1725dfd9b01f37be427d6ac5fbf52c06cfb64 SHA1 0a50103a3d147e85323e2f8670d9e4f16285a257 SHA256 7d5ca02c8521dbfdaacc0193028e598162ea3fe6f4d6e89f686c87a6a4d3b628
Version: GnuPG v2.0.16 (GNU/Linux)


The Manifest signing is enabled by default if portage has a GPG key set. It can be disabled explicitly for a repository through sign-manifests entry of layout.conf.

Recursive signed manifests (rsync)

See Project:Portage/Repository_Verification#Recursive_signed_Manifests_.28rsync.29