Hi, everyone. Just a quick note: I've prepared a simple tool [1] to verify clones of gentoo-mirror repositories. It's still early WiP but can be easily used to verify a clone:
$ ./verify-repo gentoo [/var/db/repos/gentoo] Untrusted signature on 42ccdf48d718287e981c00f25caea2242262906a (you may need to import/trust developer keys) Note: unsigned changes in metadata and/or caches found (it's fine) It can take any number of repository names and/or paths on argv, or will verify all installed repositories if run without arguments. It has explicit support for unsigned cache update commits from gentoo-mirror (verifies the last signed commits and diffs it against HEAD); though it will probably get confused if signed commits out of metadata/ subrepos come (very rare case). Verification is done using git's default GPG magic. I'd like to improve it to use gkeys but the project still hasn't achieved the ability to run out-of-the-box without local hackery. Oh, as a side note: since Portage defaults to --depth=1 clones, signatures are usually lost. I've submitted a patch to increase the default depth to 10. [1]:https://github.com/mgorny/verify-repo-mirror -- Best regards, Michał Górny <http://dev.gentoo.org/~mgorny/>
pgpx0zVQdt5NM.pgp
Description: OpenPGP digital signature
