I'm conflicted on this one, so I'll do a write up. PGP is a complex tool to do a simple thing, and it's fine used properly for that.https://twitter.com/sweis/status/806163180762370048 …
It's awful for singing source code releases etc. because recipient needs stateful keyring to verify.
-
-
Something like OpenBSD signify(1) is so much better.
-
It has the fatal flaw of not being very portable and not yet being available in package repositories though.
-
There's a very portable standalone version of signify in outils: https://github.com/chneukirchen/outils …
-
But yeah, as usual, OpenBSD (in general *BSD) fails at portability and packaging for use outside its bubble.
-
Point was the interface though: having a cmd "verify this signed file against this key file" vs pgp stateful keyring
-
It's nice to have that, but it's also nice to have a way to automatically fetch them and store them for easy TOFU.
-
GPG is terrible, sure. There aren't great alternatives though. Important to have a trusted way to obtain the tool too.
-
Git signed tags are particularly bad since they are really only signing the last hash in a chain of sha1 hashes...
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.