David Kalnischkies <david@kalnischkies.de> writes: > Anyway, as that thread started with a mail from Julian, you might > remember this one: https://wiki.debian.org/Teams/Apt/Spec/AptSign I think that design is good, but some considerations that may warrant re-thinking details would include: 1) Post-quantum signatures can be large (strongest SLH-DSA variant is ~50kb) so headers can become unreadable. 2) Inventing another signature format comes with eco-system cost. I'd use the SSHSIG signature format, which is minimal and supports ed25519. 3) It isn't clear how multiple signatures in the same file are handled. 4) Some process to transform Sigstore and Sigsum transparency log claims into DEB822 headers is needed, but seems doable (the length concern applies here too). /Simon
Attachment:
signature.asc
Description: PGP signature