On 23/12/21 00:18, Jeremy Huntwork wrote:
Hello,
I've been using pacman for a little while in Mere Linux
(https://github.com/jhuntwork/merelinux). In trying to keep things
simple, I sidestepped support for digital signatures for a while, but
I'm now at a point where I'd like to include it. However, I'd prefer
not to use gpgme and friends. I'd rather use a more modern and simpler
library. I've been looking at things like minisign and signify.
Recently I found https://github.com/vstakhov/asignify which snapped
into pacman pretty easily and is pretty much exactly what I'm looking
for.
At the moment I only have a pretty hacky patch to make it work, so
nothing that is ready to share here. But I wanted to gauge if there is
any interest in supporting different libraries/tools, or if I would
need to maintain my own patch downstream.
Thanks much for your good work and any feedback you may have.
Going into this blind having not looked at the other signing
libraries... but if there is substantial benefits of moving to another
library, we would likely consider it. Assuming there is rough feature
parity.
A skim of the asignify indicates you would need to trust every key that
signs a package, and not use a web-of-trust approach? In fact, I don't
see a way to assign trust to specific keys. I could be wrong here.
Allan
