There is a discussion about unsigned Manifest commits, and I decided to finally start signing the commits. It was indeed ridiculously easy, and there is even a Manifest Signing Guide.
No separate GPG key is needed, you can (and probably should) just use your developer GPG key.
If you are not sure what value to use for PORTAGE_GPG_KEY, here is an example how to extract it:
$ gpg --list-public-keys
/home/%%%%%/.gnupg/pubring.gpg
---------------------------
pub 1024D/30427902 20%%-%%-%% [expires: 20%%-%%-%%]
uid Pawel Hajdan Jr <%%%@%%%>
Now the value you want in this example is 30427902. They key ID is also present on the roll-call page.
I've put those PORTAGE_GPG_ configuration values just in /etc/make.conf. Here's how it all looks like:
FEATURES="... sign ..."
PORTAGE_GPG_DIR="/home/%%%%%/.gnupg"
PORTAGE_GPG_KEY="30427902"
By the way, if you are using the developer profile (and I'd encourage you to do so), FEATURES="sign" is already enabled there by default.
About 40% of the Manifests in the portage tree are signed. I think this is pretty good, and in fact I was expecting a much lower value before I've seen the stats.
It's really really easy to get this to work. What are you waiting for? Start signing Manifests!