On Sun, Oct 13, 2024 at 07:36:39PM +0200, Michal Suchánek wrote:
On Sun, Oct 13, 2024 at 08:58:11AM +0200, Matěj Cepl wrote:
On Fri Oct 11, 2024 at 12:52 PM CEST, Michal Suchánek wrote:
if I understand this correctly intead of decentralized GPG infrastructure sigstore is a centralized service.
I don’t think it is only about centralization/decentralization (or at all). Just duck it and you get plenty of pages like [1] with a long list of gripes against PGP/GPG on purely technical basis.
GPG/PGP is supserseded for most purposes. However, for signing distributed binaries I have yet to see a proposed alternative that is actually technically at least on par with GPG/PGP.
I agree. GPG/PGP really has its issues (even on security mailing lists like distros people struggle with it, so how usable is if for others?), but package signing is a well established mechanism. sigstore has advantages, but also some serious drawbacks. Being able to authenticate to the service at the time you request the signature isn't on the same level as accessing a properly stored key. But one of the great features of signatures is that you can just do multiple. You mostly don't have that luxury when it comes to confidentiality. I would see value in the additional use of sigstore, but I would be really hesitant to drop GPG/PGP for that. Johannes -- GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)