gpg keychain repo?
Harald Sitter
sitter at kde.org
Thu Jul 1 12:31:40 BST 2021
On 28.06.21 21:02, Fabian Vogt wrote:
> Though I'm wondering how this approach would work with signatures. Simply
> pushing new signatures to the keyserver wouldn't be possible, would this
> forego signatures completely or allow them with MRs?
I'm assuming you mean keys signing other keys. If so, signatures are
wholly out of scope.
As Ben said, one could probably just MR new signature uploads, but as
far as I am concerned the point of the repo wouldn't be establishing a
key-based web-of-trust but rather a repo-based trust-on-first-use.
The repo would simply act as canonical, trustworthy source of keys, not
necessarily as a source for signatures. By virtue of being in the repo
the key should be considered trustworthy as far as tarball signing goes.
For all other GPG needs keyservers are still the way to go.
HS
More information about the Distributions
mailing list