Actual result: The portage snapshots are pgp signed with 4096 bit key 0xDB6B8C1F96D8BF6D providing the resulting SHA1 signature. $gpg -v --homedir /etc/portage/gpg/ --verify portage-20140101.tar.xz.gpgsig portage-20140101.tar.xz Version: GnuPG v2.0.22 (GNU/Linux) gpg: armor header: gpg: Signature made Thu 02 Jan 2014 01:55:03 AM CET using RSA key ID C9189250 gpg: using subkey C9189250 instead of primary key 96D8BF6D gpg: using PGP trust model gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" gpg: binary signature, digest algorithm SHA1 Expected result: use of SHA2 signature to harden portage distribution via emerge-webrsync