DeveloperWiki talk:Package signing
Latest comment: 25 January 2019 by MGorny in topic Package signing in Gentoo
Package signing in Gentoo
Ebuild files are signed in Gentoo. In the development repository, all commits are signed by developers, and therefore all files in the repository are covered by signatures. For user distribution, git and rsync are supported. Git combines developer signatures with merge commits with automated signatures (merge commit is always on top, so it's sufficient to verify that one commit). RSync uses a nested tree of Manifests that describe checksums of every file in the repository, and the top Manifest has a cleartext signature.
Relevant documentation: