On Mon, Jul 2, 2018 at 6:02 PM R0b0t1 <r03...@gmail.com> wrote: > Signed hashes should be faster, no? Each directory with files could > have a manifest.
Signatures work over hashes of data, anyway. I think what you're wondering, though, is the granularity of each signature? I'd recommend this be done on the per-file level, since we wouldn't want gentoo devs signing files in a directory they haven't actually inspected. For example, eclasses. > > > - Ensure the naming scheme of portage files is sufficiently strict, so > > that renaming or re-parenting signed files doesn't result in RCE. [*] > > - Distribute said .asc files with rsync per usual. > > Rsync would work with this setup, but there is also webrsync-gpg in > Portage right now. This covers the vast majority of usecases right > now. Not sure whether you've missed the point or if you're responding to something slightly different, but it's worth noting that both rsync and webrsync-gpg right now check against infra signatures, rather than developer signatures, and this is a big problem.
