[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: Consequences of redesign of .deb signatures



Guillem Jover <guillem@debian.org> writes:

>  * Make the format extensible to other signature formats or workflows
>    (such as x509, secure-boot, IMA, etc., even if there's currently no
>    intention to add support for any of this).

I think this is a useful goal to make sure there is no PGP specific
assumption lurking.  The SSH signature format is low complexity, stable
and widely implemented, so maybe supporting this would be possible?  If
there is a framework to plug things into I may put some cycles into
implementing SSHSIG support.  I think supporting Sigstore and Sigsum
verification would be useful too, since I think in the coming years
we'll look at non-transparency-signed software releases in a similar way
that we look at non-signed software releases today.

/Simon

Attachment: signature.asc
Description: PGP signature


Reply to: