Generating the Manifest

In the tree, every package has a Manifest file. This file lives in the same directory as the ebuilds for the package. The Manifest file contains digests (the current list can be found in metadata/layout.conf as manifest-hashes) and file size data for every distfile used by the package. This is used to verify integrity upon fetching them.

To generate the Manifest, use ebuild foo.ebuild manifest or pkgdev manifest -m. You may want to set GENTOO_MIRRORS= while calling it to fetch distfiles from their original locations immediately.

Thin and thick Manifests

There are two kinds of Manifest files in Gentoo: thin Manifests that are used in the development repositories, and thick Manifests that are distributed via rsync to end users. Thin Manifests are described above.

Thick Manifests add checksums for all files in the repository, and an OpenPGP signature. This provides both for integrity and authenticity checking when the repository is transmitted over insecure channels. Thick Manifests are automatically generated on Gentoo Infrastructure, and require no specific action from developers.