IMO, moving from OpenPGP to PKCS#7 would hardly be a victory. Moving to
something like Signify would.
Ideally, the signature would be at a fixed offset and of a fixed length, so
there is no need to parse the file before checking the signature. That
eliminates an enormous class of
> Yes, this is a known - or not so well known - limitation. As the signature
> check is basically done by hand it lack a lot of feature one would expect of
> GPG proper.
Can we (as an option) use a third-party library, such as [rpgp](/rpgp/rpgp)?
--
You are receiving this because you are
> Besides the currently obsolete things, new things need to be built with the
> mindset that all crypto _will_ become obsolete over time, and avoid putting
> it into new places where it only gets in our way eventually.
I suggest avoiding algorithm agility as much as possible. It is great in
@Conan-Kudo requested changes on this pull request.
Lots of tag capitalization, but also a couple of other minor things...
> + Nosource
+ Nopatch
These should be "cased" correctly as `NoSource` and `NoPatch` (also, we have a
`NoPatch`?!?)
> @@ -167,7 +179,109 @@ The end result of all
