Would pacman be interested in supporting signature verification of packages (and databases) using the (relatively new) signing protocol introduced and implemented by Openssh [1], alongside GPG signatures ?
The intended benefits are be easier packagers setup and workflows (compared to GPG), as well as more out of the box support for signing with FIDO2 tokens (as openssh has sk-* keys to natively support those). The ALLOWED_SIGNERS (documented in man ssh-keygen) file and thus the signing namespace or namespaces would be up to the distribution using pacman (presumably, different distributions should not use the same namespace(s)). If there is interest in this, I'm interested in trying my hands at an implementation; in that case, I'd welcome any advice or things to avoid in doing so. Thanks, [1]: https://raw.githubusercontent.com/openssh/openssh-portable/master/PROTOCOL.sshsig -- Max Gautier
