In Arch's PKGBUILDs it is possible to specify a GPG key which will be checked prior to extracting the source package. This is particularly useful as a secondary check of verification for third-party overlays/sources to verify upstream sources are indeed correct. It is commonly used in PCR for this purpose. (https://wiki.archlinux.org/index.php/PKGBUILD#validpgpkeys for reference) I think it would be beneficial to add this feature to ebuilds to help add more security to overlays. While repoman does create a hash check, it does not verify trust via upstream .gpgsigs. This feature would allow maintainers to do so. Thank you.
Since PMS doesn't even specify Manifest verification, this rather looks like GLEP territory (GLEP 57 to 61), not like something that should go into PMS. *** This bug has been marked as a duplicate of bug 472594 ***
For overlays, there will be a system that involves the use of gkeys from the gentoo-keys project that will be integrated into portage/layman to verify the content of a repository. But I think these functions could be needed for other content/purposes. The problem though involves the management of the multitude of keys being needed, their refresh updates, etc.. That is something the gentoo-keys project was formed to deal with. There is a lot of the main code done already, but nothing has been done specifically for overlays as yet. There is still some more work to do for the main tree which is the initial target. Once that is in place overlays will be relatively easy to add gpg verification as the tools will be in place.
