Holger Levsen <holger@layer-acht.org> writes: > Hi Simon, > > On Wed, Jan 24, 2024 at 06:25:56PM +0100, Simon Josefsson wrote: >> Following up on Holger's idea to publicly log Sigsum checksums, below is >> a strawman on how to extend the InRelease and Release.gpg files to embed >> Sigsum proofs and/or Sigstore cosign signatures. > > I think you should file this as a bug. Good idea, done: https://bugs.debian.org/1061555 >> While this information can be distributed separately from these files, >> it doesn't hurt to think about how in-band signatures could work. >> >> After the PGP signature in InRelease and Release.gpg, you could include >> additional sections. For Sigstore cosign: > ... >> The parser needs to understand each format, and pass it to the >> respectively verifier somehow, and it has to ignore unknown data. > > I also think / would have thought :) collecting checksums of Debian packages > should sensible be possible without changing Debian workflows?!? Definitely, and to me that seems like the most feasible approach to support already released apt-based distributions. This external work can lead to improved confidence of the tools involved. If there is interest in native support for this functionality, that is also possible. /Simon
Attachment:
signature.asc
Description: PGP signature