On Thu, Aug 08, 2019 at 04:17:07PM +0200, Björn Persson wrote:
François Kooman wrote:
> The wiki currently describes the procedure to verify source downloads
> using PGP (GnuPG) [4]. I'd like to propose an added section/extension to
> also mention Minisign as a means to accomplish that. I wrote a blog post
> [5] on how I think it can be added to RPM spec files.
>
> Is this something that we can add to the official Packaging
> documentation? I'd be willing to work on this! Any ideas, feedback?
Do you know of any project that signs releases with Minisign? I've
never seen one.
Personally, before I potentially use a new signing tool, I would like
to know that some of the world's smartest cryptologists have analyzed
it and found the design sound.
It seems to be compatible with OpenBSD's signify tool[0][1], which they
have used for the past couple of releases; minisign seems to generate
the same Ed25519 signatures.
Note that I'm just pointing to informational resources, not advocating
for or against the use of minisign in any capacity.
G'luck,
Peter
[0]
https://man.openbsd.org/signify
[1]
https://www.openbsd.org/papers/bsdcan-signify.html
--
Peter Pentchev roam(a){ringlet.net,debian.org,FreeBSD.org} pp(a)storpool.com
PGP key:
http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13