On Tue, Jun 22, 2021 at 11:20 PM Karl <gmkarl@gmail.com> wrote:
Stefan,
Thank you for sharing this. I'm afraid I'm not familiar with the debian dev process to look this up: do you know what avenues will be available for debian users to verify public keys? Will there be signatures on the keyrings?
Hi Karl, good question, I must admit I have just seen this today and the software seems to work the same as the one used by the OpenBSD[1] folks, which also no longer use OpenPGP for signing packages. [1] I have played with signify and minisign in the past and there are no options to certify a pub key or keyring, which we know from how GnuPG works. I guess they can sign the pub key file(s) between each other dev and then have to publish those results in a safe place?! Regards Stefan