On 06/04/2021 02.24, Daniel Shahaf wrote: > I don't understand from that post what's so significant about sigstore, > even after having followed the link to upstream's press release.
I think, the problem that it tries to address is that most (90%?) of upstreams publish just tarballs/zipfiles without a cryptographic signature. E.g. [1] So as a packager, I download the file and have no way to verify that I got what the author meant to publish. Now, if you have a third party that also downloads the file and publishes a signature over what it got, you at least have another data point that helps you verify that your local wifi or a rogue mirror did not mitm your transfer or that at least everyone gets the same version (you could call it "reproducible downloads"). If it ever happens that such a 3rd party signing key leaked, you do not want years of signatures to become worthless => this is why they make keys short-lived - similar to how you can make syslogs tamper-proof. [1] https://ftp.gnu.org/gnu/autoconf/ https://avahi.org/download/ https://download.gnome.org/sources/audiofile/0.3/ http://mirror.synyx.de/apache/httpd/mod_fcgid/