Stateless OpenPGP command-line interface for package management
Daniel Kahn Gillmor (CCed) has been working on a proposal for a
stateless OpenPGP command-line interface (that would ideally eventually
be supported by all OpenPGP implementations), both RFC draft and
reference implementation, and we had a chat some time ago on what might
be the requirements from a package manager PoV, where I mentioned I'd
bring it up on the dpkg and apt lists. I've also CCed Peter Pentchev
for debsigs. The draft can be found here:
and the implementation (AFAIK) here:
I think that what we mostly need is:
* verification support for:
- multiple keyrings, mentioned explicitly as AFAIR there was talk
about dropping this from GnuPG (?) (already supported).
- inline signatures for .dsc, .changes, InRelease, etc
(planned with something lile detach-inband-signature-and-message?).
- unbundling inline signatures from their data, which could make it
possible to remove the OpenPGP signature ASCII armored parsing
code from dpkg-dev and apt, but this would come at the cost of
having to depend on such implementation, which would increase
the build-essential set. :/
- being able to warn about or reject specific weak constructs,
needed by apt, in the future by dpkg (not supported AFAICS).
* querying support for:
- getting the key ID matching a pattern in a keyring, needed by
debsig-verify to match on its policy (not supported AFAICS).
- getting the key ID used in a signature, needed by
debsig-verify to match on its policy (not supported AFAICS),
- getting the signature date (?), used by debsigs
(not supported AFAICS, seems just informational use).
* conversion support for:
- binary to ASCII armored signatures, f.ex. for upstream tarball
signatures (already supported).
* signing support for:
- specifying a key ID (not supported AFAICS?).
These are off the top of my head, I might be missing more from apt's
side though. But I think we'd all be very happy if we could stop
having to parse --with-colons stuff, and having to deal with mixed
metadata and data streamed out from GnuPG. :)