On Tue, Jun 22, 2021 at 11:20 PM Karl <[email protected]> wrote: > > Stefan, > > > Thank you for sharing this. I'm afraid I'm not familiar with the debian dev > process to look this up: do you know what avenues will be available for > debian users to verify public keys? Will there be signatures on the keyrings?
Hi Karl, good question, I must admit I have just seen this today and the software seems to work the same as the one used by the OpenBSD[1] folks, which also no longer use OpenPGP for signing packages. [1] I have played with signify and minisign in the past and there are no options to certify a pub key or keyring, which we know from how GnuPG works. I guess they can sign the pub key file(s) between each other dev and then have to publish those results in a safe place?! Regards Stefan
