You are not logged in.

#1 2022-05-02 22:13:40

Rommy
Member
Registered: 2014-10-17
Posts: 51

Use signify for package signature

Since there are issues with PGP [0] and e.g. Debian[1] has decided to change to signify (ed25519 + sha512) package signatures, I have not found anything regarding archlinux.
Are there plans to transition?

[0] https://latacora.micro.blog/2019/07/16/ … oblem.html
[1] https://wiki.debian.org/Teams/Apt/Spec/AptSign

Offline

#2 2022-05-02 22:26:12

2ManyDogs
Forum Moderator
Registered: 2012-01-15
Posts: 4,645

Re: Use signify for package signature

Not an upgrade issue, moving to Arch Discussion.


How to post. A sincere effort to use modest and proper language and grammar is a sign of respect toward the community.

Online

#3 2022-05-03 02:07:44

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: Use signify for package signature

There was an attempt to add asignify to pacman this year.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#4 2022-05-03 04:16:47

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: Use signify for package signature

There are a couple of issues...

1) pacman support:   As linked above, there was patches for asignify earlier this year.  There is a choice between signify (BSD), asignify (no-one?), age (no-one?) and whatever Debian is doing (not signify as defined by BSD).  I could not justify including asignify into pacman.  I may consider the BSD signify approach, but there is not a good library to link that in AFAIK.

2) Arch packaging.  Arch uses the GPG web of trust to manage its valid keys as all developers/TUs can sign packagers.  Debian does not, instead having a single signing key.  The web-of-trust means you trust the Arch master keys and the trust of packagers follows.  Arch would need to change how it works in packaging to adopt some signify variant.

Offline

#5 2022-05-03 17:17:59

Rommy
Member
Registered: 2014-10-17
Posts: 51

Re: Use signify for package signature

Thank you both for your response!
Age can only be used to encrypt/decrypt files and not to sign them (correct me if I am wrong).
I would also prefer signify (BSD), not having a good library (I did not know that) and changing the key-distribution mechanism are huge steps.

Offline

Board footer

Powered by FluxBB