I have very, very bad news for the "if it's good enough for Debian it's good enough for X" OpenPGP apologist argument.
wiki.debian.org/Teams/Apt/Spec
10
86
256
Conversation
Git's signed commit / tag support is problematic even without PGP because it uses signatures hard-wired into the objects. It has no way to add additional signatures after the fact which is a huge problem.
Even if you're using PGP, it's better to use Git notes than their system.
1
5
It should be possible to rotate keys and provide new signatures replacing the old ones made with the key that's being retired.
Git notes mean you can just not fetch all the legacy signatures, etc. It's pretty gross having PGP bloat hard-wired into each commit / tag object...
It's particularly bad with commits, because at least you could create new tags with a suffix / prefix indicating that they're made with the new signing key.
For commits... all future commits have a hash incorporating all those hard-wired PGP signatures.
1
1
I think it would be a lot better to just come up with a good standard and tooling for using Git notes to attach signatures to objects.
Much better to sign a generated archive when possible for reduced attack surface vs. verifying huge trees of SHA-1 commit/tree/blob hashes.
1
2
Show replies