before a package is merged to / and after portage builds the CONTENTS file containing the hashes/mtimes of the new package, portage should sign the result for example, if i `emerge nano`, portage should produce a Manifest which hashes the files in /var/db/pkg/app-editores/nano-1.3.4/* and signs the result and then stores it in /var/db/pkg/app-editores/nano-1.3.4/ the problem being that if a malicious user compromises the box, currently they can replace any file and then just update the CONTENTS files; also, this will help out with binary packages and a level of 'trust' i think
the file should sign everything, not just CONTENTS that means CATEGORY, CC, DEPEND, LICENSE, etc...
*** Bug 64261 has been marked as a duplicate of this bug. ***
This seems a bit wonky. How to sign it automatically? Have an unencrypted key? Etc. Seems to me stricter perms might be a better start.
Closing this as WONTFIX until its usefulness can be shown.