On 27/12/21 08:01, jeremy at merelinux.org wrote:
From: Jeremy Huntwork <jeremy at merelinux.org>
This is a proof of concept that shows how asignify can be used instead of gpgme to validate packages signed with the asignify tool.
Nice! This is the first time I'm hearing of asignify. It seems to have similar goals to Minisign[1] by jedisct1 (maintainer of libsodium). Minisign is backwards compatible with signify when using the legacy signature format (PureEdDSA), but is using a blake2b based pre-hashed approach by default (HashEdDSA). A comparison of the two formats can be found here[2]. asignify also seems to make use of blake2b, however I don't know in what form. The signature schemes are probably not compatible, right? In my bubble Minisign seemed to gain some traction lately, and according to pkgs.org it also seems to be much more widely packaged than asignify. Is there a particular reason why you picked asignify? (The dependencies seem to be simpler, libsodium vs tweetnacl.) There's more prior art, Debian recently started developing AptSign to replace OpenPGP: [3] Cheers, Danilo [1] https://jedisct1.github.io/minisign/ [2] https://github.com/jedisct1/minisign/releases/tag/0.6 [3] https://wiki.debian.org/Teams/Apt/Spec/AptSign