On Thu, Aug 08, 2019 at 04:17:07PM +0200, Björn Persson wrote:
François Kooman wrote:
The wiki currently describes the procedure to verify source downloads using PGP (GnuPG) [4]. I'd like to propose an added section/extension to also mention Minisign as a means to accomplish that. I wrote a blog post [5] on how I think it can be added to RPM spec files.
Is this something that we can add to the official Packaging documentation? I'd be willing to work on this! Any ideas, feedback?
Do you know of any project that signs releases with Minisign? I've never seen one.
Personally, before I potentially use a new signing tool, I would like to know that some of the world's smartest cryptologists have analyzed it and found the design sound.
It seems to be compatible with OpenBSD's signify tool[0][1], which they have used for the past couple of releases; minisign seems to generate the same Ed25519 signatures.
Note that I'm just pointing to informational resources, not advocating for or against the use of minisign in any capacity.
G'luck, Peter
[0] https://man.openbsd.org/signify [1] https://www.openbsd.org/papers/bsdcan-signify.html