Title: Portage to verify git-synced ::gentoo per default Author: Florian Schmaus Posted: 2025-11-01 Revision: 2 News-Item-Format: 2.0 Display-If-Installed: sys-apps/portage Portage now implicitly enables OpenPGP verification of the "raw" ::gentoo repository when synchronizing using git [1]. That is, >= Portage 3.0.70 will set sync-git-verify-commit-signature = true for the "raw" ::gentoo repository as default. This behavior change requires action from users who are synchronizing the "raw" ::gentoo git repository, as otherwise synchronization may fail due to verification errors. Users - synchronizing the "sync friendly" ::gentoo git repository, - using rsync as synchronization mechanism - or, using emerge-webrsync are *not* required to take any action. Remotes of the "sync friendly" ::gentoo git repository include: - https://github.com/gentoo-mirror/gentoo - https://anongit.gentoo.org/git/repo/sync/gentoo.git - https://gitweb.gentoo.org/repo/sync/gentoo.git We recommend using these instead of the "raw" repo because the "raw" repo does not include news items, GLSAs, or generated metadata. No action is required when using one of these remotes listed above. This news item is NOT instructing users to start using the raw repo, it is just a necessary change if you are already using it. However, users of the "raw" ::gentoo remote repository need to adjust the repository configuration to verify against the "gentoo developers" keyfile. Ensure that sec-keys/openpgp-keys-gentoo-developers is installed, as it provides this keyfile. Furthermore, the key refresh method should be set to 'keyserver' because WKD is not supported with the "gentoo developers" keyfile. Remotes of this category include: - https://github.com/gentoo/gentoo - https://gitweb.gentoo.org/repo/gentoo.git/ An typical adjusted configuration may look like the following: [gentoo] location = /var/db/repos/gentoo sync-type = git sync-uri = https://github.com/gentoo/gentoo.git sync-openpgp-key-path = /usr/share/openpgp-keys/gentoo-developers.asc # If you experience hangs or refresh failures, try 'no' instead. sync-openpgp-key-refresh = keyserver 1: https://bugs.gentoo.org/959831