In the tree, every package has a
Manifest file. This file lives in the same
directory as the ebuilds for the package. The
Manifest file contains digests
(currently RMD160, SHA1, SHA256, SHA512 and WHIRLPOOL) and file size data for every
file in the directory and any subdirectories. This is used to verify integrity.
Manifest may also be digitally signed.
To generate the
ebuild foo.ebuild manifest. When
Manifest file must be regenerated to handle any
repoman will do this automatically.
Now you should be able to sign your Manifests on repoman commit. Repoman will ask you for your passphrase before committing the Manifest. This step is after it has committed the other files. At the moment repoman doesn't check if the Manifest is already signed, so others are able to "unsign" your package later. This will change before signing is made mandatory.