Hi! Daniel Kahn Gillmor (CCed) has been working on a proposal for a stateless OpenPGP command-line interface (that would ideally eventually be supported by all OpenPGP implementations), both RFC draft and reference implementation, and we had a chat some time ago on what might be the requirements from a package manager PoV, where I mentioned I'd bring it up on the dpkg and apt lists. I've also CCed Peter Pentchev for debsigs. The draft can be found here:
https://dkg.fifthhorseman.net/draft-openpgp-stateless-cli.html https://gitlab.com/dkg/openpgp-stateless-cli and the implementation (AFAIK) here: https://gitlab.com/dkg/python-sop I think that what we mostly need is: * verification support for: - multiple keyrings, mentioned explicitly as AFAIR there was talk about dropping this from GnuPG (?) (already supported). - inline signatures for .dsc, .changes, InRelease, etc (planned with something lile detach-inband-signature-and-message?). - unbundling inline signatures from their data, which could make it possible to remove the OpenPGP signature ASCII armored parsing code from dpkg-dev and apt, but this would come at the cost of having to depend on such implementation, which would increase the build-essential set. :/ - being able to warn about or reject specific weak constructs, needed by apt, in the future by dpkg (not supported AFAICS). * querying support for: - getting the key ID matching a pattern in a keyring, needed by debsig-verify to match on its policy (not supported AFAICS). - getting the key ID used in a signature, needed by debsig-verify to match on its policy (not supported AFAICS), - getting the signature date (?), used by debsigs (not supported AFAICS, seems just informational use). * conversion support for: - binary to ASCII armored signatures, f.ex. for upstream tarball signatures (already supported). * signing support for: - specifying a key ID (not supported AFAICS?). These are off the top of my head, I might be missing more from apt's side though. But I think we'd all be very happy if we could stop having to parse --with-colons stuff, and having to deal with mixed metadata and data streamed out from GnuPG. :) Thanks, Guillem