On Sat, Oct 4, 2025, at 22:19 CDT, Michał Górny <[email protected]> wrote:
> Hi,
>
> As you may have read (and probably forgotten about it), OpenPGP has
> diverged into two incompatible standards a while ago [1].
> [...]
Yeah, this is a mess.
We could also ditch the whole PGP thing and simply use ssh keys for
signing [1, 2, 3].
Best,
Matthias
[1] git has support for this, and this can even be combined with an openssh CA
infrastructure: .git/config:
[user]
signingkey = /home/tamiko/.ssh/signing_key.pub
[gpg]
format = ssh
[gpg "ssh"]
allowedSignersFile = /home/tamiko/.ssh/allowed_signers
resulting in:
commit ee33182848ea2f229fb7da53c3a241b62aaa8b06
Good "git" signature for [email protected] with ED25519-SK-CERT key
SHA256:s0kUASVHakMZykRbyXBKYY8KKm7E3WIRGT94YXTRHTc
Author: Matthias Maier <[email protected]>
Date: Fri Oct 3 22:13:18 2025 +0000
[2] We are already mainting quite an elaborate setup for ssh and pgp keys - we
could simply reduce it to only ssh keys.
[3] No, this is not really a serious suggestion :-)
signature.asc
Description: PGP signature
