Why Do Developers Continue to Sign with GNUPG

To: debian-security@lists.debian.org
Subject: Why Do Developers Continue to Sign with GNUPG
From: fosres@posteo.de
Date: Sun, 10 Aug 2025 14:35:20 +0000
Message-id: <[🔎] d3aba6cdf64e395e7a1238783f6282e8@posteo.de>

Hello Debian Security Team,

Since Debian is a major Linux distribution I want to ask why

software developers continue to digitally sign their code an

software packages with GNUPG when there are simpler alternatives

such as minisign (https://jedisct1.github.io/minisign/), signify, or age(https://github.com/FiloSottile/age).


PGP has been criticized for its being difficult to use by other

cryptographers:

https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/

I thank all responses in advance!

Best,

Tanveer Salim

Reply to:

Follow-Ups:
- Re: Why Do Developers Continue to Sign with GNUPG
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Why Do Developers Continue to Sign with GNUPG
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Why Do Developers Continue to Sign with GNUPG
  - From: Malte <ml@enteig.net>
- Re: Why Do Developers Continue to Sign with GNUPG
  - From: Gunnar Wolf <gwolf@debian.org>

Next by Date: Re: Why Do Developers Continue to Sign with GNUPG
Next by thread: Re: Why Do Developers Continue to Sign with GNUPG
Index(es):
- Date
- Thread