Yadd <yadd@debian.org> writes: > Le 09/11/2025 à 22:31, Simon Josefsson a écrit : >> Yadd <yadd@debian.org> writes: >> >>> SSH signatures are more of a gimmick than a true electronic signature; >>> I don't see the point of putting them on the same level as a GPG >>> signature in uscan. >> What do you mean by gimmick? SSH signature support seems to be >> on-par >> with PGP in plenty of eco-systems including github, gitlab etc. >> /Simon > > No trust system or public database, no expiration date, no revocation > system, same key used for auth and sig which is a by-design > vulnerability,... Okay, I understand what you mean now -- although I suspect people promiting SSH signatures consider most of those properties a feature and not a bug. Generally the convention seems to be that the user manages all key trust aspects. Doesn't github publish SSH keys for users? That's one public database. Expiration and revocation is handled by simply not using the key any more, and removing it from where you publish it. Auth vs sig key separation can be handled by user too, just have two keys and use them in different contexts. Sigsum rely on SSH signatures but adds transparency logging on top, which addresses some of your concerns too. /Simon
Attachment:
signature.asc
Description: PGP signature