Indeed, but of course there's no private key signature element to the manifest, and the manifest is held on the same mirror as the ebuild ('recipe'), which includes the location to download the source from.
This makes it a trivial matter to replace packages without end-user detection if you have write access to a mirror (and there are lots of mirrors). This is the same problem reported in the original article on Arch.
I'm sure you knew this but wanted to point it out since I don't think the presence of the manifest does anything other than to aid detection of corruption of the source tarball during or after download - it doesn't help with indicating package authenticity at all.
I believe there have been discussions over a git-based Portage but it's not got anywhere significant as yet, and GPG-based package signing seems to have been discussed for many years but still isn't stable as far as I can tell.