On 1/13/25 11:14, Simon Josefsson wrote:
nick black <dankamongmen@gmail.com> writes:i'm beginning to see use of minisign[0] as an alternative to GPG for signing releases[2]. i'm completely ambivalent with regards to the merits of minisign, but would like to be able to verify them with uscan.That would be great -- upstreams are using other mechanisms to sign their releases today, like Sigsum, Sigstore, gitsign S/MIME etc, and I don't think there is any reason why 'uscan' shouldn't support all of them.
gitsign is supported
This reminds me about the 'apt-get install minisign' package naming concern that we tried to flesh out a migration policy for earlier. I think I ultimately got lost trying to work out the migration flow for how to achieve that... /Simon