On 21/7/23 16:19, Max Gautier wrote:
The intended benefits are be easier packagers setup and workflows (compared to GPG), as well as more out of the box support for signing with FIDO2 tokens (as openssh has sk-* keys to natively support those). The ALLOWED_SIGNERS (documented in man ssh-keygen) file and thus the signing namespace or namespaces would be up to the distribution using pacman (presumably, different distributions should not use the same namespace(s)).
The answer is a solid maybe... Even leaning towards yes here! Questions to answer first: 1) would we allow mixed signature verification. e.g. some repos use GPG and others use openssh? Or some repos using both? 2) What do we need to add to package entries in repos so that pacman knows the signature file to download. Our current assumptions are very GPG based... 3) What will be our criteria for including additional signature verification methods? openssh seems a good option for me, but we have had people request one of the other new signing variants. Allan