*/*: GPKG (new binpkg format) Support (GLEP 78, provisionally)

Bug: https://bugs.gentoo.org/500630
Bug: https://bugs.gentoo.org/659864
Bug: https://bugs.gentoo.org/672672
Bug: https://bugs.gentoo.org/773259
Bug: https://bugs.gentoo.org/820578
Signed-off-by: Rin Cat (鈴猫) <dev@rincat.ch>
Closes: https://github.com/gentoo/portage/pull/562
Signed-off-by: Sam James <sam@gentoo.org>

2 files changed, 57 insertions, 0 deletions

diff --git a/cnf/make.conf.example b/cnf/make.conf.example
index a309a5c43..5b2229465 100644
--- a/cnf/make.conf.example
+++ b/cnf/make.conf.example
@@ -183,6 +183,42 @@
 # This ftp connection is active ftp.
 #PORTAGE_BINHOST="ftp://login:pass@grp.mirror.site:21*/pub/grp/i686/athlon-xp/"
 
+# Binary packages GPG commands
+# ============================
+#
+# Only works with GPKG format.
+# "binpkg-signing" needed to be set in FEATURES if need signing packages.
+# "binpkg-request-signature" needed to be set in FEATURES if you want all
+# binpkgs must have signature.
+# You need uncomment related commands and set "USER" and "SIGN_KEY" to yours.
+#
+# Binary package GPG singing base command
+# Basic command for all signature operations.
+# You need change this if you want to use other configurations,
+# Note that some configurations are configured separately below,
+# please do not add duplicate configurations
+#BINPKG_GPG_SIGNING_BASE_COMMAND="/usr/bin/flock /run/lock/portage-binpkg-gpg.lock /usr/bin/gpg --sign --armor [PORTAGE_CONFIG]"
+
+# Binary package GPG signature digests algorithm.
+#BINPKG_GPG_SIGNING_DIGEST="SHA512"
+
+# gnupg home directory used for signing.
+#BINPKG_GPG_SIGNING_GPG_HOME="/root/.gnupg"
+
+# GPG key ID used for signing.
+#BINPKG_GPG_SIGNING_KEY="0x1234567890ABCD!"
+
+# Binary package GPG verify base command.
+# Basic command for all verify operations.
+#BINPKG_GPG_VERIFY_BASE_COMMAND="/usr/bin/gpg --verify --batch --no-tty --no-auto-check-trustdb --status-fd 2 [PORTAGE_CONFIG] [SIGNATURE]"
+
+# GPG home directory where store all trust binary package public keys.
+#BINPKG_GPG_VERIFY_GPG_HOME="/etc/portage/gnupg"
+
+# The user and group will be used when drop root privileges during GPG verify
+#GPG_VERIFY_USER_DROP="nobody"
+#GPG_VERIFY_GROUP_DROP="nogroup"
+
 # Synchronizing Portage
 # =====================
 #
diff --git a/cnf/make.globals b/cnf/make.globals
index cf4ad3533..69b365f71 100644
--- a/cnf/make.globals
+++ b/cnf/make.globals
@@ -38,6 +38,27 @@ PORTAGE_TMPDIR="/var/tmp"
 # existing installs where bzip2 is used for backward compatibility.
 BINPKG_COMPRESS="zstd"
 
+# The format used for binary packages. The default is use old "xpak" format.
+# Set to "gpkg" to use new gentoo binary package format.
+BINPKG_FORMAT="xpak"
+
+# The binary package default GPG signing command.
+# flock is used to avoid a racing condition of gnupg
+BINPKG_GPG_SIGNING_BASE_COMMAND="/usr/bin/flock /run/lock/portage-binpkg-gpg.lock /usr/bin/gpg --sign --armor [PORTAGE_CONFIG]"
+
+# The default binary package GPG digests algorithm.
+BINPKG_GPG_SIGNING_DIGEST="SHA512"
+
+# The binary package default GPG verify command.
+BINPKG_GPG_VERIFY_BASE_COMMAND="/usr/bin/gpg --verify --batch --no-tty --no-auto-check-trustdb --status-fd 2 [PORTAGE_CONFIG] [SIGNATURE]"
+
+# The binary package default GPG home directory for verify
+BINPKG_GPG_VERIFY_GPG_HOME="/etc/portage/gnupg"
+
+# The user and group will be used when drop root privileges during GPG verify
+GPG_VERIFY_USER_DROP="nobody"
+GPG_VERIFY_GROUP_DROP="nogroup"
+
 # Fetching command (3 tries, passive ftp for firewall compatibility)
 FETCHCOMMAND="wget -t 3 -T 60 --passive-ftp -O \"\${DISTDIR}/\${FILE}\" \"\${URI}\""
 RESUMECOMMAND="wget -c -t 3 -T 60 --passive-ftp -O \"\${DISTDIR}/\${FILE}\" \"\${URI}\""