Re: Why Does Debian Use PGP to Sign Packages

To: debian-security@lists.debian.org
Subject: Re: Why Does Debian Use PGP to Sign Packages
From: kpcyrd <kpcyrd@archlinux.org>
Date: Sat, 16 Aug 2025 16:10:55 +0200
Message-id: <[🔎] f7ff63f1-f74c-47be-9cd5-e3663767083e@archlinux.org>
In-reply-to: <[🔎] a66cd45403052dc7a4e55f60885e4737@posteo.de>
References: <[🔎] a66cd45403052dc7a4e55f60885e4737@posteo.de>

On 8/16/25 3:22 AM, fosres@posteo.de wrote:

Hello All,
In an earlier post I asked why Debian uses PGP to sign packages despiteits complexity.
Some responded that Sequoia PGP simplifies the process.
I now wish to ask why Debian uses PGP in general to sign packages whenthere are alternatives such as SigStore.

Having worked with both PGP/RFC-4880 and Sigstore, I found them to be ofsimilar complexity, implementation wise (x509, ASN.1, base64 encodedjson all layered into each other, some multiple times).

Also, when I looked into pypi's implementation of PEP-740[1], I couldn'tfigure out how to do an offline-verification of thesignature/attestation using the sigstore Rust crate[2], to the point Igave up on my project.


[1]: https://github.com/kpcyrd/pypi-provenance-auth
[2]: https://docs.rs/sigstore/

(Not trying to hijack this thread, but if somebody knows how to do this,I'm still interested in a solution).


cheers,
kpcyrd

Reply to:

References:
- Why Does Debian Use PGP to Sign Packages
  - From: fosres@posteo.de

Prev by Date: Re: Why Does Debian Use PGP to Sign Packages
Next by Date: Re: [SECURITY] [DSA 5973-1] linux security update
Previous by thread: Re: Why Does Debian Use PGP to Sign Packages
Next by thread: Upcoming (old)stable point releases: 13.1 and 12.12
Index(es):
- Date
- Thread