Use signify for package signature

Rommy · 2022-05-02 22:13:40

Since there are issues with PGP [0] and e.g. Debian[1] has decided to change to signify (ed25519 + sha512) package signatures, I have not found anything regarding archlinux.
Are there plans to transition?

[0] https://latacora.micro.blog/2019/07/16/ … oblem.html
[1] https://wiki.debian.org/Teams/Apt/Spec/AptSign

2ManyDogs · 2022-05-02 22:26:12

Not an upgrade issue, moving to Arch Discussion.

mpan · 2022-05-03 02:07:44

There was an attempt to add asignify to pacman this year.

Allan · 2022-05-03 04:16:47

There are a couple of issues...

1) pacman support: As linked above, there was patches for asignify earlier this year. There is a choice between signify (BSD), asignify (no-one?), age (no-one?) and whatever Debian is doing (not signify as defined by BSD). I could not justify including asignify into pacman. I may consider the BSD signify approach, but there is not a good library to link that in AFAIK.

2) Arch packaging. Arch uses the GPG web of trust to manage its valid keys as all developers/TUs can sign packagers. Debian does not, instead having a single signing key. The web-of-trust means you trust the Arch master keys and the trust of packagers follows. Arch would need to change how it works in packaging to adopt some signify variant.

Rommy · 2022-05-03 17:17:59

Thank you both for your response!
Age can only be used to encrypt/decrypt files and not to sign them (correct me if I am wrong).
I would also prefer signify (BSD), not having a good library (I did not know that) and changing the key-distribution mechanism are huge steps.

Arch Linux

#1 2022-05-02 22:13:40

Use signify for package signature

#2 2022-05-02 22:26:12

Re: Use signify for package signature

#3 2022-05-03 02:07:44

Re: Use signify for package signature

#4 2022-05-03 04:16:47

Re: Use signify for package signature

#5 2022-05-03 17:17:59

Re: Use signify for package signature

Board footer