debsigs - status and plans?

To: debian-dpkg@lists.debian.org
Cc: Peter Pentchev <roam@debian.org>
Subject: debsigs - status and plans?
From: Steve McIntyre <steve@einval.com>
Date: Mon, 17 May 2021 12:32:52 +0100
Message-id: <[🔎] 20210517113252.GA8241@tack.einval.com>

[ Added Peter on CC in case he's not reading the -dpkg list ]

Hi folks,

I'm working on a project where inline signatures on Debian-style
packages would be very useful, so I've started playing with debsigs
and debsig-verify. Both packages *appear* to be maintained, with
uploads during the Bullseye development cycle. But right now things
don't work with gpg2, as shipped in Buster onwards (#988368,
#988646). I'm also very surprised that debsigs doesn't have any
verification code (#988369) - I'd always expect tools like this to be
able to verify their own output!

AIUI there was a plan to integrate signing more closely with dpkg. Is
that likely to happen at some point, and if so will it be compatible
with what's already shipped? If so, I may be able to help with the
existing tools. Alternatively, I may need to develop a parallel
implementation for my project, and obviously I'd like to stay
compatible if that's possible.

Can you give me some advice here please?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
< Aardvark> I dislike C++ to start with. C++11 just seems to be
            handing rope-creating factories for users to hang multiple
            instances of themselves.

Reply to:

Follow-Ups:
- Re: debsigs - status and plans?
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: Re: Storing package metadata in ELF objects
Next by Date: Re: debsigs - status and plans?
Previous by thread: Re: debsig-verify test data contains signatures w/o debian-binary included in the signed data!
Next by thread: Re: debsigs - status and plans?
Index(es):
- Date
- Thread