Hi Simon, On Wed, Jan 24, 2024 at 06:25:56PM +0100, Simon Josefsson wrote: > Following up on Holger's idea to publicly log Sigsum checksums, below is > a strawman on how to extend the InRelease and Release.gpg files to embed > Sigsum proofs and/or Sigstore cosign signatures. I think you should file this as a bug. > While this information can be distributed separately from these files, > it doesn't hurt to think about how in-band signatures could work. > > After the PGP signature in InRelease and Release.gpg, you could include > additional sections. For Sigstore cosign: ... > The parser needs to understand each format, and pass it to the > respectively verifier somehow, and it has to ignore unknown data. I also think / would have thought :) collecting checksums of Debian packages should sensible be possible without changing Debian workflows?!? -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ The people who refer to the pandemic in the past tense and climate change in the future tense are the reason everything is going to shit.
Attachment:
signature.asc
Description: PGP signature