On 8/16/25 3:22 AM, [email protected] wrote:
Hello All,
In an earlier post I asked why Debian uses PGP to sign packages despite
its complexity.
Some responded that Sequoia PGP simplifies the process.
I now wish to ask why Debian uses PGP in general to sign packages when
there are alternatives such as SigStore.
Having worked with both PGP/RFC-4880 and Sigstore, I found them to be of
similar complexity, implementation wise (x509, ASN.1, base64 encoded
json all layered into each other, some multiple times).
Also, when I looked into pypi's implementation of PEP-740[1], I couldn't
figure out how to do an offline-verification of the
signature/attestation using the sigstore Rust crate[2], to the point I
gave up on my project.
[1]: https://github.com/kpcyrd/pypi-provenance-auth
[2]: https://docs.rs/sigstore/
(Not trying to hijack this thread, but if somebody knows how to do this,
I'm still interested in a solution).
cheers,
kpcyrd
