Currently the gentoo installation procedure pertains downloading a livecd (optionally), a stage3 and the portage tarball (or use webrsync).
In order to verify these, users have to download a separate detached signature file (.asc) , verify the '.asc' file and cross check the hash in the '.asc' file with the downloaded file (e.g.: sha512sum -c ....).
GPG lets users create a signed file (plain --sign option) where users have to decrypt it with the public key of the signer in order to use it.
My suggestion is to have mirrors host a gpg signed installation livecd, stage3 and portage tarball, and have the gentoo handbook instructions instruct users to import release signing keys and decrypt their download before they can start using the downloaded files.
Bob@host ~/gpgtst $ ls -lah
drwxr-xr-x 2 Bob Bob 69 Jun 29 10:40 .
drwx------ 80 Bob Bob 16K Jun 29 10:05 ..
-rw-r--r-- 1 Bob Bob 700M Jun 29 10:38 livecd.iso
Bob@host ~/gpgtst $ sha512sum livecd.iso
Bob@host ~/gpgtst $ time gpg --sign livecd.iso
Bob@host ~/gpgtst $ ls
Bob@host ~/gpgtst $ time gpg --out install-livecd.iso --decrypt livecd.iso.gpg
gpg: Signature made Wed 29 Jun 2016 10:39:46 AM using RSA key ID 44F5B547
gpg: Good signature from "Bob-Host (GPG key for Bob used for encrypting FDE keys among other things) <Bob@host>" [ultimate]
Bob@host ~/gpgtst $ sha512sum install-livecd.iso
Bob@host ~/gpgtst $
It takes 17s to sign the .iso file and 9 seconds to decrypt it (inside a VM too!).
There are two obvious facts:
1) most users don't verify hashes or bother with gpg verification
2) users would use gpg if it was the default method and it did not involve burdensome steps to use it.
Not having a detached signature would mean users *have to* decrypt the downloaded signed file before using it, this is a simple two step procedure.
1) Import PGP public keys used to sign the files(manually 'copy-paste' the correct fingerprint from the gentoo installation handbook for this step)
2) Decrypt the downloaded .gpg file (as shown above,just run gpg --output file --decrypt file.gpg)
I am not suggesting to stop the use of detached .asc/digest files, or to stop mirrors from hosting plain installation files. my suggestion is to have this option and make it a default.
If this is done, I am confident most users will be using verified gentoo installations. this will increase security for everyone.
Per irc discussion in #gentoo-chat, this could be used also for ebuilds and tarballs with portage, it will only require the signing keys to be imported once during the installation/setup of the OS.
Thanks in advance for considering this request.
This should be standard in all distros and it's shocking that it's not. Please fix this.