Hi! On Tue, 2025-09-02 at 11:16:56 +0200, Philipp Kern wrote: > On 9/1/25 1:23 PM, Guillem Jover wrote: > > * Make the format extensible to other signature formats or workflows > > (such as x509, secure-boot, IMA, etc., even if there's currently no > > intention to add support for any of this). > > When we discussed support for IMA internally many years back we had > no good answer for the key rotation problem. That feels very > annoying with embedded signatures. You need to re-sign all the debs > that you have in storage and need to get all signatures on disk > updated - unless you generate immutable images that you can update > all at once.
Right, this is something that has indeed been known to affect all embedded signatures (it's on the debsig-verify TODO redesign doc for example :). And something we also covered in the deb signing talks in DebConf25. I should probably have been more clear in an earlier point where there's a mention of potential acceptance into the Debian archive, limited by concerns over reproducibility, where the key rotation part was omitted. To be very honest, I've seen the reproducible and key rotation problems to be such a concern that I don't think we'd want to have those in the archive. I think embedded signatures do make sense if your primary way to transport .debs is off-repos and/or you also want to track provenance, have a small set of binaries, or are prepared to rebuild everything to be able to re-sign (even on a stable release), otherwise for something like Debian the current repo-signing has always felt superior in all possible ways. And IMA has indeed the same exact problem, where I'm also not convinced at all about them for the Debian archive. Yet, I still think it would be nice to have a format that might make it possible to explore that, because perhaps for some organizations or distribution methods it does make sense. (Because decoupling the IMA signatures from the general filesystem metadata payload means injecting or changing them is going to be way easier.) Thanks, Guillem
