On Tue, Aug 29, 2023 at 12:15:10AM +1000, Allan McRae wrote: > However, I am not convinced that repos using a mixture of GPG and openssh > signatures should not be supported. See below.
I assume the last not was extraneous right ? Given the rest. > Signature type detection would be interesting, but I see it being > brittle/complex if/when alternative signing methods get added. As far as I can tell, the signature formats of minisign and signify are quite close (signify can verify minisign signatures, but not the other way around[1]) and include the following header: untrusted comment: <arbitrary text> Which could be used to distinguish types. Both SSH and GPG also have a header. Of course that header is necessarily untrusted, so every signature verification method should independently verify the signature structure without ever relying on the detected type. > Having a single configurable signing method per repo removes the need to > even deal with this. > > [...] > > Overall, I am happy for this idea to move forward. My suspicion is that > some initial refactoring may be needed to ease the addition of new signature > formats. Without looking in detail, I suspect doing that would be a good > place to start. > > Allan > Great ! I'm going to take a look at the codebase and see what I can come up with. Given the discussion, I'll first focus on implementing support for configuring the signature method globally/per repo + the openssh signature format (and refactoring, if indeed needed). Signature type detection and "mixed signature method" repos if we eventually go that way can be added later on. Thanks [1]: https://github.com/jedisct1/minisign/issues/59#issuecomment-654809237 -- Max Gautier
