[continued from previous message]

works *grin*. If enough valid sigs are detected, we're good. If
not, fail.

Do you mean that for each signature in the selected keyring (based on
the vendor, not the fingerprint), we'd export each one individually and
then verify the .deb against that? I mean if we want to support a minimum-signatures then I guess that's what we'd need to do because
gpgv does not seem to support that. sq for example does with its
--signatures option, but SOP does not either.

I'm also pondering now whether instead of a keyring it might be easier
to manage and to implement to use a directory to hold all the
signatures, say:

<policy-dir>/keyrings/<vendor>/origin/fingerprint-a.pgp
<policy-dir>/keyrings/<vendor>/origin/fingerprint-b.pgp
<policy-dir>/keyrings/<vendor>/role-builder/fingerprint-c.pgp
<policy-dir>/keyrings/<vendor>/role-builder/fingerprint-d.pgp

Or perhaps better just by some name to avoid potential reliance on
fingerprint formats that might change with OpenPGP spec revisions,
say:

<policy-dir>/keyrings/<vendor>/origin/archive-auto.pgp
<policy-dir>/keyrings/<vendor>/origin/archive-2022.pgp
<policy-dir>/keyrings/<vendor>/role-builder/builder-a.pgp
<policy-dir>/keyrings/<vendor>/role-builder/builder-b.pgp

Or perhaps the min-signatures could then become min number of
verifications from these named keyrings.

Does that sound reasonable? What am I missing?

Overall it does, but as mentioned before, it's hard for me to tell
what's missing from the silent users. :)

I guess I'll collect my thoughts, and your input and will try to draft something and ask for wider input from the list.

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)