this is just a metabug for portage and signing i was at a LUG meeting recently and one of the things that came up was how redhat via rpm and gpg signatures can verify a binary on a system all the way back to the original creator that got me thinking about how portage could use more signing in places; feel free to create more bugs and mark them as blockers in this bug
Comment from a gentoo-user: Yes. I also think signing should really be pushed more. Also the documentation for the already implemented features could need improvement: I set the "gpg"-FEATURE and it complains because portage cant check the manifests ... for example the man-pages Manifest is signed by a key 4BB5F4CA that i couldnt find anywhere. Where do I get these keys? Another thing I really would like to see is checking of signed binaries from a BINHOST.
Concerning signed binaries: Maybe portage could generate a signature for the .tbz2 in /var/tmp/portage/package/build-info.
Putting a hold on feature requests for portage as they are drowning out the bugs. Most of these features should be available in the next major version of portage. But for the time being, they are just drowning out the major bugs and delaying the next version's progress. Any bugs that contain patches and any bugs for etc-update or dispatch-conf can be reopened. Sorry, I'm just not good enough with bugzilla. ;)