1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Re: minisign support in uscan

    From Simon Josefsson@21:1/5 to nick black on Mon Jan 13 11:30:01 2025
    nick black <[email protected]> writes:

    i'm beginning to see use of minisign[0] as an alternative to GPG
    for signing releases[2]. i'm completely ambivalent with regards to
    the merits of minisign, but would like to be able to verify them
    with uscan.

    That would be great -- upstreams are using other mechanisms to sign
    their releases today, like Sigsum, Sigstore, gitsign S/MIME etc, and I
    don't think there is any reason why 'uscan' shouldn't support all of
    them.

    This reminds me about the 'apt-get install minisign' package naming
    concern that we tried to flesh out a migration policy for earlier. I
    think I ultimately got lost trying to work out the migration flow for
    how to achieve that...

    /Simon

    -----BEGIN PGP SIGNATURE-----

    iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmeE54cUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgIBQkLehFUAAoJENc89jjFPAa+CboA +wUa06RD5e5VTCxvSWtPS75Wq2qBeYGZnf0jvUMxa2n4AP4xkUeAPPnNuMsTm2fs FCDIGaEM2Yn6Vb2huzzT1Fw/BLgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZf2IKwUJC3oQqgCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+GcYA/26YQY05bLtnXiIjTiAzrGQrRXxTHPA8Av7TDFHvIetWAP9s HSoU8OfTwmTiEnGwLlsV7QJclZg3YNz/Ypcp9TqQBrg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgwBQkLehDGAAoJENc89jjF PAa+phoA/jrDqIrl/55vUMBhIQv+TP635d2iCTEnyFmbUcP9+gh6APoDsXalVd2c OGxQtSC+TF8PkZMn1TLkJKAjVxr+xx40AgAKCRBRcisI/kdFoqCXAP967Nq5iwBW g107FZeKbSU+F/Hltugu6cJFY7oyruhACAD+L2MjoexBIbwUpCesPQodRDLsJSiM awAvho3T0j3wpAc=
    =XJDW
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Yadd@21:1/5 to Simon Josefsson on Mon Jan 13 11:50:01 2025
    On 1/13/25 11:14, Simon Josefsson wrote:
    nick black <[email protected]> writes:

    i'm beginning to see use of minisign[0] as an alternative to GPG
    for signing releases[2]. i'm completely ambivalent with regards to
    the merits of minisign, but would like to be able to verify them
    with uscan.

    That would be great -- upstreams are using other mechanisms to sign
    their releases today, like Sigsum, Sigstore, gitsign S/MIME etc, and I
    don't think there is any reason why 'uscan' shouldn't support all of
    them.

    gitsign is supported

    This reminds me about the 'apt-get install minisign' package naming
    concern that we tried to flesh out a migration policy for earlier. I
    think I ultimately got lost trying to work out the migration flow for
    how to achieve that...

    /Simon

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon Josefsson@21:1/5 to Yadd on Mon Jan 13 14:10:02 2025
    Yadd <[email protected]> writes:

    On 1/13/25 11:14, Simon Josefsson wrote:
    nick black <[email protected]> writes:

    i'm beginning to see use of minisign[0] as an alternative to GPG
    for signing releases[2]. i'm completely ambivalent with regards to
    the merits of minisign, but would like to be able to verify them
    with uscan.
    That would be great -- upstreams are using other mechanisms to sign
    their releases today, like Sigsum, Sigstore, gitsign S/MIME etc, and I
    don't think there is any reason why 'uscan' shouldn't support all of
    them.

    gitsign is supported

    I was unclear, I meant this gitsign:

    https://github.com/sigstore/gitsign

    I don't think this approach is supported by uscan?

    I only see about PGP on https://manpages.debian.org/testing/devscripts/uscan.1.en.html

    /Simon

    This reminds me about the 'apt-get install minisign' package naming
    concern that we tried to flesh out a migration policy for earlier. I
    think I ultimately got lost trying to work out the migration flow for
    how to achieve that...
    /Simon



    --=-=-Content-Type: application/pgp-signature; name="signature.asc"

    -----BEGIN PGP SIGNATURE-----

    iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmeFDIwUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgIBQkLehFUAAoJENc89jjFPAa+CboA +wUa06RD5e5VTCxvSWtPS75Wq2qBeYGZnf0jvUMxa2n4AP4xkUeAPPnNuMsTm2fs FCDIGaEM2Yn6Vb2huzzT1Fw/BLgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZf2IKwUJC3oQqgCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+GcYA/26YQY05bLtnXiIjTiAzrGQrRXxTHPA8Av7TDFHvIetWAP9s HSoU8OfTwmTiEnGwLlsV7QJclZg3YNz/Ypcp9TqQBrg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgwBQkLehDGAAoJENc89jjF PAa+phoA/jrDqIrl/55vUMBhIQv+TP635d2iCTEnyFmbUcP9+gh6APoDsXalVd2c OGxQtSC+TF8PkZMn1TLkJKAjVxr+xx40AgAKCRBRcisI/kdFouoNAPsEafqaBXyM jGPp5gR31zGC6OSaqGffs7cBYbOXxUOP1AEA6beOh9CQbitHyoFGkpRign3qI46/ 441NvgND3tlURQ0=xs7Y
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon Josefsson@21:1/5 to nick black on Mon Jan 13 14:10:01 2025
    nick black <[email protected]> writes:

    Simon Josefsson left as an exercise for the reader:
    nick black <[email protected]> writes:
    That would be great -- upstreams are using other mechanisms to sign
    their releases today, like Sigsum, Sigstore, gitsign S/MIME etc, and I
    don't think there is any reason why 'uscan' shouldn't support all of
    them.

    i've created #1092818 for this, and am working on it in https://salsa.debian.org/nickblack/devscripts/-/tree/nickblack/uscan-minisign

    \o/

    This reminds me about the 'apt-get install minisign' package naming
    concern that we tried to flesh out a migration policy for earlier. I
    think I ultimately got lost trying to work out the migration flow for
    how to achieve that...

    i'm not familiar with this. do you have a reference?

    Sorry I confused it with signify:

    https://tracker.debian.org/pkg/signify-openbsd

    See https://lists.debian.org/debian-devel/2024/10/msg00031.html

    /Simon

    -----BEGIN PGP SIGNATURE-----

    iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmeFDeAUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgIBQkLehFUAAoJENc89jjFPAa+CboA +wUa06RD5e5VTCxvSWtPS75Wq2qBeYGZnf0jvUMxa2n4AP4xkUeAPPnNuMsTm2fs FCDIGaEM2Yn6Vb2huzzT1Fw/BLgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZf2IKwUJC3oQqgCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+GcYA/26YQY05bLtnXiIjTiAzrGQrRXxTHPA8Av7TDFHvIetWAP9s HSoU8OfTwmTiEnGwLlsV7QJclZg3YNz/Ypcp9TqQBrg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJl/YgwBQkLehDGAAoJENc89jjF PAa+phoA/jrDqIrl/55vUMBhIQv+TP635d2iCTEnyFmbUcP9+gh6APoDsXalVd2c OGxQtSC+TF8PkZMn1TLkJKAjVxr+xx40AgAKCRBRcisI/kdFoiFFAP9J4wc5dhp/ jGg+4zgaIb0r84nzTG0riJkCF2BLG8rJXQEA65lbWKyBqLUW0yKlZ5+wQXLhjXAw 3YBMlW+KzetPogc=
    =1DHz
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)