Hi Salvo (2024.09.30_22:15:34_+0000) > > In what wee is this going to affect Debian? Do we actually verify GPG > > signatures for upstream sources? > > It seems we do not!
Fixed. > > Is there any other reason I am not aware of why sigstore is a bad > > solution? > > sigstore is 3rd party signing. You no longer keep the private key yourself. > You keep your password/token/whatever to sigstore and they sign your files. From a quick read of the docs: I think ephemeral keys are used (or can be?) but the signature is recorded into their CT log, with your account. That's the bit signed by their key. > And you hope they'll still be online and secure in the future when you will > decide to check a signature. I see an offline mode is supported. We should figure out what it would take to support sigstore in Debian source packages, assuming there is more adoption. Stefano -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
