News item draft, feedback welcome… Title: Portage to verify git-synced ::gentoo per default Author: Florian Schmaus <[email protected]> Posted: 2025-11-XX Revision: 1 News-Item-Format: 2.0 Display-If-Installed: sys-apps/portage
Portage is about to implicitly enable OpenPGP verification of the ::gentoo repository when synchronizing using git [1]. That is, a future Portage version will set
sync-git-verify-commit-signature = true
for the ::gentoo repository as default.
This behavior change requires action from users who are synchronizing
the "raw" ::gentoo git repository, as otherwise synchronization may
fail due to validation errors.
Users
- synchronizing the "sync friendly" ::gentoo git repository,
- using rsync as synchronization mechanism
- or, using emerge-webrsync
are *not* required to take any action.
Remotes of the "sync friendly" ::gentoo git repository include:
- https://github.com/gentoo-mirror/gentoo
- https://anongit.gentoo.org/git/repo/sync/gentoo.git
- https://gitweb.gentoo.org/repo/sync/gentoo.git
No action is required when using one of these remotes.
However, users of the "raw" ::gentoo remote repository need to adjust
the repository configuration to verify against the "gentoo developers"
keyfile. Ensure that sec-keys/openpgp-keys-gentoo-developers,
providing this keyfile, is installed. Furthermore, the key refresh
method should be set to 'keyserver' (as WKD is not supported in this
case).
Remotes of this category include:
- https://github.com/gentoo/gentoo
- https://gitweb.gentoo.org/repo/gentoo.git/
An typical adjusted configuration may look like the following:
[gentoo]
location = /var/db/repos/gentoo
sync-type = git
sync-uri = https://github.com/gentoo/gentoo.git
sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-developers.asc
sync-openpgp-key-refresh = keyserver
1: https://bugs.gentoo.org/959831
OpenPGP_0x8CAC2A9678548E35.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
