Re: Why Does Debian Use PGP to Sign Packages

To: fosres@posteo.de
Cc: Debian security <debian-security@lists.debian.org>
Subject: Re: Why Does Debian Use PGP to Sign Packages
From: Jeffrey Walton <noloader@gmail.com>
Date: Sat, 16 Aug 2025 05:13:25 -0400
Message-id: <[🔎] CAH8yC8m5B8xqrPPtpK3T_zA6whm7-jWxgmma0uafrm33W7UHmw@mail.gmail.com>
Reply-to: noloader@gmail.com
In-reply-to: <[🔎] a66cd45403052dc7a4e55f60885e4737@posteo.de>
References: <[🔎] a66cd45403052dc7a4e55f60885e4737@posteo.de>

On Sat, Aug 16, 2025 at 12:45 AM <fosres@posteo.de> wrote:

Hello All,

In an earlier post I asked why Debian uses PGP to sign packages despite
its complexity.

Some responded that Sequoia PGP simplifies the process.

I now wish to ask why Debian uses PGP in general to sign packages when
there are alternatives such as SigStore.

What were the unique benefits in PGP that could not be found in other
alternatives?

I thank all in advance for any responses.

Also see <https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html>.

Jeff

Reply to:

Follow-Ups:
- Re: Why Does Debian Use PGP to Sign Packages
  - From: Simon Josefsson <simon@josefsson.org>

References:
- Why Does Debian Use PGP to Sign Packages
  - From: fosres@posteo.de

Prev by Date: Why Does Debian Use PGP to Sign Packages
Next by Date: Re: Why Does Debian Use PGP to Sign Packages
Previous by thread: Why Does Debian Use PGP to Sign Packages
Next by thread: Re: Why Does Debian Use PGP to Sign Packages
Index(es):
- Date
- Thread