Daniel P. Berrangé wrote: > On Thu, Aug 08, 2019 at 04:17:07PM +0200, Björn Persson wrote: > > Do you know of any project that signs releases with Minisign? I've > > never seen one. > > See the "Software projects signed with Ed25519" section in this: > > https://ianix.com/pub/ed25519-deployment.html In that list I find five things that are packaged in Fedora: · Minisign itself: Precompiled binary packages are signed, but not the source code apparently. · Sodium: There are both Minisign signatures and OpenPGP signatures. · dnscrypt-proxy: Again, precompiled binary packages are signed, but not the source code. · Radare2: I can't find any signatures. · OpenSMTPD: Signify signatures found. So that's at least two packages that could start verifying signatures, one of which can't be verified with GnuPG. At least it wouldn't be entirely pointless to write Minisign into the guidelines. > IIUC, the key thing that makes signify/minisign a sound design are that > they target a very narrow use case, offering just a single way to do > things, using current best practice algorithms. This immediately > eliminates a huge pile of historical baggage and complexity that you > get in PGP impls, which have been a reliable source of security problems. > It makes it easier for users to do the right thing when runnig the tools > as there's much lower risk of picking bad uninformed options. That's great and all, but have there been any serious attempts to trick Minisign or Signify into accepting a fake signature, by people who are experienced in such attacks? Cryptography is tricky stuff. It's very easy to overlook some detail. Users should be wary of homegrown protocols that haven't been rigorously analyzed. Björn Persson
Attachment:
pgpE9ueUzmSxr.pgp
Description: OpenPGP digital signatur
_______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx