Hi, On 11/2/25 10:32 AM, Simon Josefsson wrote:
Philipp Kern <pkern@debian.org> writes:In trying to retrofit this I also ran into the classic "and now I have an additional file to InRelease to provide the inclusion proof" problem.What do you think about putting all signatures in the InRelease file? The content to sign would be the same as the text in the PGP-armored InRelease file, which (modulo the long-standing final newline misbehaviour) is the same as the content of the Release file.
Wouldn't that break existing consumption of the file by apt and we would need a new one? Or does apt ignore bytes after the signature? Similarly there is a question of what exactly to sign, with GPG's cleartext canonicalization and all.
Kind regards Philipp Kern