Hi,
On 11/2/25 10:32 AM, Simon Josefsson wrote:
Philipp Kern <[email protected]> writes:
In trying to retrofit this I also ran into the classic "and now I have
an additional file to InRelease to provide the inclusion proof"
problem.
What do you think about putting all signatures in the InRelease file?
The content to sign would be the same as the text in the PGP-armored
InRelease file, which (modulo the long-standing final newline
misbehaviour) is the same as the content of the Release file.
Wouldn't that break existing consumption of the file by apt and we would
need a new one? Or does apt ignore bytes after the signature? Similarly
there is a question of what exactly to sign, with GPG's cleartext
canonicalization and all.
Kind regards
Philipp Kern
