On 1/13/25 11:14, Simon Josefsson wrote:
nick black <dankamong...@gmail.com> writes:
i'm beginning to see use of minisign[0] as an alternative to GPG
for signing releases[2]. i'm completely ambivalent with regards to
the merits of minisign, but would like to be able to verify them
with uscan.
That would be great -- upstreams are using other mechanisms to sign
their releases today, like Sigsum, Sigstore, gitsign S/MIME etc, and I
don't think there is any reason why 'uscan' shouldn't support all of
them.
gitsign is supported
This reminds me about the 'apt-get install minisign' package naming
concern that we tried to flesh out a migration policy for earlier. I
think I ultimately got lost trying to work out the migration flow for
how to achieve that...
/Simon
