Initial support for asignify signatures
Danilo
mail at dbrgn.ch
Mon Jan 10 10:40:44 UTC 2022
On 27/12/21 08:01, jeremy at merelinux.org wrote:
> From: Jeremy Huntwork <jeremy at merelinux.org>
>
> This is a proof of concept that shows how asignify can be used instead
> of gpgme to validate packages signed with the asignify tool.
Nice! This is the first time I'm hearing of asignify. It seems to have
similar goals to Minisign[1] by jedisct1 (maintainer of libsodium).
Minisign is backwards compatible with signify when using the legacy
signature format (PureEdDSA), but is using a blake2b based pre-hashed
approach by default (HashEdDSA). A comparison of the two formats can be
found here[2].
asignify also seems to make use of blake2b, however I don't know
in what form. The signature schemes are probably not compatible, right?
In my bubble Minisign seemed to gain some traction lately, and
according to pkgs.org it also seems to be much more widely packaged
than asignify. Is there a particular reason why you picked asignify?
(The dependencies seem to be simpler, libsodium vs tweetnacl.)
There's more prior art, Debian recently started developing AptSign to
replace OpenPGP: [3]
Cheers,
Danilo
[1] https://jedisct1.github.io/minisign/
[2] https://github.com/jedisct1/minisign/releases/tag/0.6
[3] https://wiki.debian.org/Teams/Apt/Spec/AptSign
More information about the pacman-dev
mailing list