Hi, This may be only tangentially related, so apologies in advance.
On Mon, Sep 01, 2025 at 01:23:30PM +0200, Guillem Jover wrote: > * Make the format extensible to other signature formats or workflows > (such as x509, secure-boot, IMA, etc., even if there's currently no > intention to add support for any of this). There is a workflow I am interested in, which is system integrity verification run from a known-good rescue environment. Your mention of secure-boot reminded me of this. This environment could be booted from a USB stick for example. The debsums utility can use md5sum files external to the potentially compromised system being investigated to verify files. The md5sum files can be obtained by downloading .deb packages over https. -can debsigs be extended to cover the md5sum files on the system being investigated -can .md5sum files be served separately from packages and individually like debuginfod files -can Contents files be extended to provide md5 (or sha2) checksums If there is a discussion of these topics elsewhere please let me know. Thanks, Jeremy
