gemato provides a reference implementation of the full-tree Manifest checks as specified in GLEP 74 [1]. Originally focused on verifying the integrity and authenticity of the Gentoo ebuild repository, the tool can be used as a generic checksumming tool for any directory trees.

The basic purpose of gemato is to verify a directory tree against Manifest files. In order to do that, run the gemato verify tool against the requested directory:

gemato verify /var/db/repos/gentoo

The tool will automatically locate the top-level Manifest (if any) and check the specified directory recursively. If a subdirectory of the Manifest tree is specified, only the specified leaf is checked.

Creating a new Manifest tree can be accomplished using the gemato create command against the top directory of the new Manifest tree:

gemato create -p ebuild /var/db/repos/gentoo

Note that for the create command you always need to specify either a profile (via -p) or at least a hash set (via -H).

The gemato update command is provided to update an existing Manifest tree:

gemato update -p ebuild /var/db/repos/gentoo

Alike create, update also requires specifying a profile (-p) or a hash set (-H). The command locates the appropriate top-level Manifest and updates the specified directory recursively. If a subdirectory of the Manifest tree is specified, the entries for the specified leaf and respective Manifest files are updated.

gemato provides a few other utility commands that provide access to its crypto backend. These are:

gemato hash -H <hashes> [<path>...]

Print hashes of the specified files in Manifest-like format.

gemato openpgp-verify [-K <key>] [<path>...]

Check OpenPGP cleartext signatures embedded in the specified files.

gemato openpgp-verify-detached [-K <key>] <sig-file> <data-file>

Verify the specified data file against a detached OpenPGP signature.

gemato is written in Python and compatible with implementations of Python 3.9+. gemato is currently tested against CPython 3.9 through 3.11 and PyPy3. gemato core depends only on standard Python library modules.

Additionally, OpenPGP requires system install of GnuPG 2.2+ and requests Python module. Tests require pytest, and responses for mocking.