--- emerge-webrsync	2006-04-15 12:29:44.000000000 +0300
+++ emerge-webrsync	2006-04-15 12:29:39.000000000 +0300
@@ -5,6 +5,12 @@
 # Author: Karl Trygve Kalleberg <karltk@gentoo.org>
 # Rewritten from the old, Perl-based emerge-webrsync script
 
+#
+# gpg key import
+# KEY_ID=0x7DDAD20D
+# gpg --homedir /etc/portage/gnupg --keyserver subkeys.pgp.net --recv-keys $KEY_ID
+# gpg --homedir /etc/portage/gnupg --edit-key $KEY_ID trust
+
 # If PORTAGE_NICENESS is overriden via the env then it will
 # still pass through the portageq call and override properly.
 PORTAGE_NICENESS="$(/usr/lib/portage/bin/portageq envvar PORTAGE_NICENESS)"
@@ -21,6 +27,13 @@ USERLAND="$(/usr/lib/portage/bin/portage
 DISTDIR="$(/usr/lib/portage/bin/portageq envvar PORTAGE_TMPDIR)/emerge-webrsync"
 PORTAGE_INST_UID="$(/usr/lib/portage/bin/portageq envvar PORTAGE_INST_UID)"
 PORTAGE_INST_GID="$(/usr/lib/portage/bin/portageq envvar PORTAGE_INST_GID)"
+WEBSYNC_VERIFY_SIGNATURE="$(/usr/lib/portage/bin/portageq envvar WEBSYNC_VERIFY_SIGNATURE)"
+PORTAGE_GPG_HOME="$(/usr/lib/portage/bin/portageq envvar PORTAGE_GPG_HOME)"
+
+if [ -z "$WEBSYNC_VERIFY_SIGNATURE" ]; then
+	WEBSYNC_VERIFY_SIGNATURE=0
+fi
+
 if [ ! -d $DISTDIR ] ; then
 	mkdir -p $DISTDIR
 fi
@@ -50,6 +63,17 @@ else
 	md5_com='true'
 fi
 
+if [ $WEBSYNC_VERIFY_SIGNATURE != 0 ]; then
+	if type -p gpg > /dev/null; then
+		gpg_com='gpg --homedir "${PORTAGE_GPG_HOME}" --verify ${FILE}.gpgsig ${FILE}'
+	else
+		echo "Cannot find gpg"
+		exit 1
+	fi
+else
+	gpg_com='true'
+fi
+
 sync_local() {
 	echo Syncing local tree...
 	if type -p tarsync &> /dev/null; then
@@ -123,7 +147,7 @@ while (( $attempts <  40 )) ; do
 		echo " --- No md5sum present on the mirror. (Not yet available.)"
 		continue
 	elif [ -s "${FILE}" ]; then
-		if eval "$md5_com"; then
+		if eval "$md5_com" && eval "$gpg_com"; then
 			echo " === snapshot $FILE is correct, using it"
 			sync_local
 			echo
@@ -139,10 +163,24 @@ while (( $attempts <  40 )) ; do
 		URI="${i}/snapshots/$FILE"
 		rm -f "$FILE"
 		if (eval "$FETCHCOMMAND $wgetops") && [ -s "$FILE" ]; then
+			URI="${i}/snapshots/$FILE.gpgsig"
+			rm -f "$FILE.gpgsig"
+
+			if [ $WEBSYNC_VERIFY_SIGNATURE != 0 ]; then
+				if ! (eval "$FETCHCOMMAND $wgetops") || ! [ -s "$FILE.gpgsig" ]; then
+					echo "Cannot download signature for $FILE"
+					continue
+				fi
+			fi
+
 			if ! eval "$md5_com"; then
 				echo "md5 failed on $FILE"
 				rm ${FILE}
 				continue
+			elif ! eval "$gpg_com"; then
+				echo "Signature validation failed on $FILE"
+				rm ${FILE}
+				continue
 			else
 				sync_local
 				echo