Re: RFC: Consequences of redesign of .deb signatures

To: debian-dpkg@lists.debian.org
Cc: debian-devel@lists.debian.org, Steve McIntyre <93sam@debian.org>, Ferenc Wágner <wferi@debian.org>, Peter Pentchev <roam@debian.org>
Subject: Re: RFC: Consequences of redesign of .deb signatures
From: Simon Josefsson <simon@josefsson.org>
Date: Mon, 01 Sep 2025 13:41:55 +0200
Message-id: <[🔎] 87h5xmxuv0.fsf@josefsson.org>
In-reply-to: <[🔎] aLWCMreHqC_RGcSI@thunder.hadrons.org> (Guillem Jover's message of "Mon, 1 Sep 2025 13:23:30 +0200")
References: <[🔎] aLWCMreHqC_RGcSI@thunder.hadrons.org>

Guillem Jover <guillem@debian.org> writes:

>  * Make the format extensible to other signature formats or workflows
>    (such as x509, secure-boot, IMA, etc., even if there's currently no
>    intention to add support for any of this).

I think this is a useful goal to make sure there is no PGP specific
assumption lurking.  The SSH signature format is low complexity, stable
and widely implemented, so maybe supporting this would be possible?  If
there is a framework to plug things into I may put some cycles into
implementing SSHSIG support.  I think supporting Sigstore and Sigsum
verification would be useful too, since I think in the coming years
we'll look at non-transparency-signed software releases in a similar way
that we look at non-signed software releases today.

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: RFC: Consequences of redesign of .deb signatures
  - From: Guillem Jover <guillem@debian.org>

References:
- RFC: Consequences of redesign of .deb signatures
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: RFC: Consequences of redesign of .deb signatures
Next by Date: Re: Introducing salsa-status.debian.net
Previous by thread: RFC: Consequences of redesign of .deb signatures
Next by thread: Re: RFC: Consequences of redesign of .deb signatures
Index(es):
- Date
- Thread