Picking up a thread that started on debian-python@lists.debian.org: https://lists.debian.org/msgid-search/14198883.O9o76ZdvQC@galatea
Upstreams that care about supply chain security have been building mechanisms to authenticate their releases, beyond PGP signatures. For example, Python started providing sigstore signatures a couple of years ago, and is now talking about the idea of dropping PGP signatures. https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058 We currently support including PGP signatures in source packages, and verifying them in uscan. Should we expand this to include some of these new mechanisms? Things brought up in the debian-python thread include: 1. sigstore https://docs.sigstore.dev/ 2. ssh signatures 3. signify https://man.openbsd.org/signify.1 There is a general trend towards getting upstream sources from Git rather than tarballs in Debian, but we're a long way from moving across completely, or even finding consensus to do so. These signature mechanisms can generally be applied to git commits as well as tarballs. I see supporting them in Debian requiring: 1. Decisions on which schemes to support. I'd assume we support all that are available in Debian and have some significant use. Some, like sigstore, can be used in multiple modes, we'd have to make some selections. 2. Support in uscan to verify at download/checkout time. 2.1: Syntax in watch files to locate signature files. 2.2: Path in source packages / watch files to declare trusted signers. 2.3: Syntax in watch files for signature verification in git mode. 3. Support in dpkg-source to include detached signatures in source packages. 3.1: Declare expected formats and filename extensions. 4. Support in the archive? (Is anything necessary?) Is this something people are interested in pursuing? For sigstore, we probably need to package the Python / go client in Debian. We have rekor-cli for low-level verification, but not tools for verifying bundles like the ones Python provides. Stefano -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
