aboutsummaryrefslogtreecommitdiff
blob: 665c25941526bd13f3c9ef7b72f449dafce9c8e8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
<?xml version="1.0"?>
<guide self="general-concepts/manifest/">
<chapter>
<title>Manifest</title>

<body>

<section>
<title>Generating the Manifest</title>
<body>
<p>
In the tree, every package has a <c>Manifest</c> file. This file lives in the same
directory as the ebuilds for the package. The <c>Manifest</c> file contains digests
(currently RMD160, SHA1, SHA256, SHA512 and WHIRLPOOL) and file size data for every
file in the directory and any subdirectories. This is used to verify integrity.
The <c>Manifest</c> may also be digitally signed.
</p>

<p>
To generate the <c>Manifest</c>, use <c>ebuild foo.ebuild manifest</c>. When
committing, the <c>Manifest</c> file must be regenerated to handle any CVS keyword
expansion changes <d/> <c>repoman</c> will do this automatically.
</p>
</body>
</section>

<section>
<title>Signing the Manifest using your GPG key</title>
<body>
<p>
Requirements:
</p>

<ul>
  <li>&gt;=sys-apps/portage-2.0.51_pre10</li>
  <li>&gt;=app-crypt/gnupg-1.2.4</li>
</ul>

<p>
Key Setup:
</p>

<ul>
  <li>
    <uri link="http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap2">Create</uri>
    a new DSA GnuPG key with at least a 1024 bit keylength, an expiration
    period no longer than 6 months and a good passphrase.
  </li>
  <li>
    <uri link="http://www.gentoo.org/doc/en/gnupg-user.xml#doc_chap3">Upload</uri>
    the key to a keyserver.
  </li>
</ul>

<p>
Portage Configuration:
</p>

<ul>
  <li>
    Set <path>PORTAGE_GPG_DIR</path> to your <path>~/.gnupg/</path> directory
    (or the directory where the keyring with your new key is).
  </li>
  <li>Set <path>PORTAGE_GPG_KEY</path> to the key id of your new key.</li>
  <li>Set FEATURES="sign".</li>
</ul>

<p>
Now you should be able to sign your Manifests on repoman commit. Repoman will
ask you for your passphrase before committing the Manifest. This step is
<e>after</e> it has committed the other files. At the moment repoman doesn't
check if the Manifest is already signed, so others are able to "unsign" your
package later. This will change before signing is made mandatory.
</p>
</body>
</section>

</body>
</chapter>
</guide>