It's awful for singing source code releases etc. because recipient needs stateful keyring to verify.
-
-
Something like OpenBSD signify(1) is so much better.
1 reply 0 retweets 2 likes -
Replying to @RichFelker @thegrugq
It has the fatal flaw of not being very portable and not yet being available in package repositories though.
1 reply 0 retweets 0 likes -
Replying to @CopperheadOS @thegrugq
There's a very portable standalone version of signify in outils: https://github.com/chneukirchen/outils …
1 reply 0 retweets 0 likes -
But yeah, as usual, OpenBSD (in general *BSD) fails at portability and packaging for use outside its bubble.
1 reply 0 retweets 2 likes -
Point was the interface though: having a cmd "verify this signed file against this key file" vs pgp stateful keyring
1 reply 0 retweets 0 likes -
Replying to @RichFelker @thegrugq
It's nice to have that, but it's also nice to have a way to automatically fetch them and store them for easy TOFU.
1 reply 0 retweets 0 likes -
GPG is terrible, sure. There aren't great alternatives though. Important to have a trusted way to obtain the tool too.
1 reply 0 retweets 0 likes -
Git signed tags are particularly bad since they are really only signing the last hash in a chain of sha1 hashes...
2 replies 0 retweets 0 likes -
Replying to @CopperheadOS @thegrugq
There are no practical attacks now or likely in the immediate future, but yes.
1 reply 0 retweets 0 likes
git should probably just add a secondary hash algorithm alongside sha1 in a backwards-compatible way.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.