Ditching OpenPGP, a new approach to signing APT repositories
Hi all, https://wiki.debian.org/Teams/Apt/Spec/AptSign Regards Stefan
On Tue, Jun 22, 2021 at 11:20 PM Karl <gmkarl@gmail.com> wrote:
Stefan,
Thank you for sharing this. I'm afraid I'm not familiar with the debian dev process to look this up: do you know what avenues will be available for debian users to verify public keys? Will there be signatures on the keyrings?
Hi Karl, good question, I must admit I have just seen this today and the software seems to work the same as the one used by the OpenBSD[1] folks, which also no longer use OpenPGP for signing packages. [1] I have played with signify and minisign in the past and there are no options to certify a pub key or keyring, which we know from how GnuPG works. I guess they can sign the pub key file(s) between each other dev and then have to publish those results in a safe place?! Regards Stefan
Thanks.
From the signify website at https://flak.tedunangst.com/post/signify :
I’m thinking if we build a large enough bonfire, we should be able to generate smoke signals visible from space. Good thing the public keys are small.
participants (2)
-
Karl -
Stefan Claas