On Thu, Aug 08, 2019 at 04:17:07PM +0200, Björn Persson wrote: > François Kooman wrote: > > The wiki currently describes the procedure to verify source downloads > > using PGP (GnuPG) [4]. I'd like to propose an added section/extension to > > also mention Minisign as a means to accomplish that. I wrote a blog post > > [5] on how I think it can be added to RPM spec files. > > > > Is this something that we can add to the official Packaging > > documentation? I'd be willing to work on this! Any ideas, feedback? > > Do you know of any project that signs releases with Minisign? I've > never seen one. > > Personally, before I potentially use a new signing tool, I would like > to know that some of the world's smartest cryptologists have analyzed > it and found the design sound. It seems to be compatible with OpenBSD's signify tool[0][1], which they have used for the past couple of releases; minisign seems to generate the same Ed25519 signatures. Note that I'm just pointing to informational resources, not advocating for or against the use of minisign in any capacity. G'luck, Peter [0] https://man.openbsd.org/signify [1] https://www.openbsd.org/papers/bsdcan-signify.html -- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} pp@xxxxxxxxxxxx PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
