In the tree, every package has a
Manifest file. This file lives
in the same directory as the ebuilds for the package. The
contains digests (the current list can be found in
manifest-hashes) and file size data for every distfile used
by the package. This is used to verify integrity upon fetching them.
To generate the
ebuild foo.ebuild manifest or
pkgdev manifest -m. You may want to set
calling it to fetch distfiles from their original locations immediately.
There are two kinds of Manifest files in Gentoo: thin Manifests that are used in the development repositories, and thick Manifests that are distributed via rsync to end users. Thin Manifests are described above.
Thick Manifests add checksums for all files in the repository, and an OpenPGP signature. This provides both for integrity and authenticity checking when the repository is transmitted over insecure channels. Thick Manifests are automatically generated on Gentoo Infrastructure, and require no specific action from developers.