Title: Portage binpkg changes Author: Sam James Posted: 2026-05-03 Revision: 2 News-Item-Format: 2.0 Newer versions of Portage are making two changes to how binary packages work: 1) binary package signatures are now verified by default [0]; 2) fetched binary packages are stored separately from locally-built binaries (this change is already in a recent Portage release) [1]. Remote binary packages are now cached in /var/cache/binhost/NAME where NAME is given by the configuration item in /etc/portage/binrepos.conf. This allows clean separation of locally built binary packages vs. those with remote provenance, and to allow verification of fetched packages without forcing signing to be set up for local binpkgs. The cache location can be customised by setting `location` in binrepos.conf. gentoolkit has been updated to handle these cache locations too. This news item only applies if you use or produce binary packages. Official binhost users ====================== Fetched binary packages are now stored at /var/cache/binhost/gentoo (or a similar path, depending on contents of /etc/portage/binrepos.conf/*). No action is required, for two reasons: 1) all of the documentation included FEATURES="binpkg-request-signature", and 2) attempts to install a binpkg that is signed without any configuration would fail early. The only impact is that future binary package installs will need less setup. Setting FEATURES="binpkg-request-signature" is no longer needed for this case. Users may need to run `eclean-pkg` to cleanup old binary packages in the old, mixed location. Users of just the official binary host can stop reading at this point. Custom binhosts =============== Users who host their own binary packages and redistribute them to their machines will need to either: 1) start signing their binpkgs [2], or 2) set `verify-signature = false` in /etc/portage/binrepos.conf/* for the relevant configuration file for your binhost. Otherwise, fetched binpkgs will fail verification. To set up signing for binpkgs, a signing keyring must reside (by default) at /root/.gnupg and a verification keyring must reside (by default) at /etc/portage/gnupg. The verification keyring must mark the signing key as trusted. Signing is toggled by FEATURES="binpkg-signing". You can opt-in to this change early by setting `verify-signature = true` in /etc/portage/binrepos.conf/* for each binary repository configured, or under the special '[DEFAULT]' section. Users may need to run `eclean-pkg` to cleanup old binary packages in the old, mixed location. This does not apply if your binhost uses the old XPAK binary package format, but we encourage switching to BINPKG_FORMAT="gpkg" if that is the case. [0] https://bugs.gentoo.org/945384 [1] https://bugs.gentoo.org/945385 [2] https://wiki.gentoo.org/wiki/Binary_package_guide#Binary_package_OpenPGP_signing