Your work is valuable. Many of the things have probably evolved over time and could use some analysis based on modern cryptography and security practices. I just wanted to point out that there are subtle but important differences outside of the key and signature formats. The most important distinction is probably the one of personal keys on the one hand which purpose is to identify a developer and the Release keys which are stored on some build servers to create Release files. You cannot only have PGP keys signing each other (like CAs and leaf certificates in X.509 PKI). PGP has subkeys and they could be used in the release process to mitigate risks. Example: 1. Debian creates a PGP key for releases. 2. The public key is installed in Debian to verify releases. 3. The release team creates subkeys for signing. 4. The main private key is stored in a restricted place. 5. The build server only uses the subkeys to sign releases. The subkeys could be expired and rotated all the time without changing the PGP fingerprint and therefore without changing the trusted key ring in the Debian installations. I do not know whether Debian actually makes use of this, or it has been discussed before. Regards Stephan
Attachment:
signature.asc
Description: This is a digitally signed message part