On Thu, Aug 08, 2019 at 04:17:07PM +0200, Björn Persson wrote: > François Kooman wrote: > > The wiki currently describes the procedure to verify source downloads > > using PGP (GnuPG) [4]. I'd like to propose an added section/extension to > > also mention Minisign as a means to accomplish that. I wrote a blog post > > [5] on how I think it can be added to RPM spec files. > > > > Is this something that we can add to the official Packaging > > documentation? I'd be willing to work on this! Any ideas, feedback? > > Do you know of any project that signs releases with Minisign? I've > never seen one. See the "Software projects signed with Ed25519" section in this: https://ianix.com/pub/ed25519-deployment.html not very many, but OpenBSD is a big one, which is not surprising as they created signify, which is what inspired minisign. https://flak.tedunangst.com/post/signify > Personally, before I potentially use a new signing tool, I would like > to know that some of the world's smartest cryptologists have analyzed > it and found the design sound. NB, cryptographers have been telling people that PGP is *unsound* for years now https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/ IIUC, the key thing that makes signify/minisign a sound design are that they target a very narrow use case, offering just a single way to do things, using current best practice algorithms. This immediately eliminates a huge pile of historical baggage and complexity that you get in PGP impls, which have been a reliable source of security problems. It makes it easier for users to do the right thing when runnig the tools as there's much lower risk of picking bad uninformed options. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
