[ << ] [ < ] [ Home ] [ > ] [ >> ]

6. Manifest Signing Guide

• How to sign Manifests?
• How to verify Manifests?

6.a. How to sign Manifests?

Requirements:

• >=sys-apps/portage-2.0.51_pre10
• >=app-crypt/gnupg-1.2.4

Key Setup:

• Create a new DSA GnuPG key with at least 1024 bit keylength, an expiration period no longer than 6 months and a good passphrase.
• Optional: upload the key to a keyserver.

Portage Configuration:

• Set PORTAGE_GPG_DIR to your ~/.gnupg/ directory (or the directory where the keyring with your new key is).
• Set PORTAGE_GPG_KEY to the key id of your new key.
• Set FEATURES="sign".

Now you should be able to sign your Manifests on repoman commit. Repoman will ask you for your passphrase before committing the Manifest. This step is after it has committed the other files. At the moment repoman doesn't check if the Manifest is already signed, so others are able to "unsign" your package later. This will change before signing is made mandatory.

6.b. How to verify Manifests?

Right now portage has no verification support integrated. A first attempt to check a Manifest is available for testing here. This is alpha code, very incomplete and only for testing. No warranty is given.

[ << ] [ < ] [ Home ] [ > ] [ >> ]