← Back to context

Comment by stackghost

1 year ago

More in keeping with the Unix philosophy of doing one thing and doing it well (GnuPG in particular does a mediocre job of many things), the best move is to replace it with a suite of single purpose tools.

For example, signing commits with minisign or signify.

7 comments

stackghost

Reply
CarpaDorada  1 year ago

>For example, signing commits with minisign or signify.

These tools don't work well with git or the git forges, and they do not work at all with fossil. (Obviously signify is a good choice if you're using OpenBSD.) Furthermore they lock you in entirely in their choice of algorithm, Ed25519, which may not be what you want (Why not Ed448?)

As far as adoption goes, and adoption is hard to get going, GnuPG is what is used in Linux the most...

  • stackghost  1 year ago

    "Github supports GnuPG signatures" does not contradict the statement "GnuPG is trash". I will not engage further, it's obvious you are not interested in honest discussion of the technical merits.

    • CarpaDorada  1 year ago

      The issue is mostly with git itself, e.g. take a look at

        git cat-file commit HEAD

      to see something like:

        tree <tree-hash>
  parent <parent-hash>
  author <author-name> <author-email> <timestamp>
  committer <committer-name> <committer-email> <timestamp>
  gpgsig -----BEGIN PGP SIGNATURE-----
   
   <ascii-armored RFC9580 signature>
   -----END PGP SIGNATURE-----

  <commit message>

      You can view an example of the structure of this ascii-armored signature here <https://cirw.in/gpg-decoder/#-----BEGIN%20PGP%20SIGNATURE---...>.

      You can add a patch to git to support more signature types than just OpenPGP. You may then be able to move mountains and get GitHub/others to join in the validation. Finally, if you can find bugs/exploits in GnuPG, you should report them and you will definitely get credit and recognition for them. They are not trivial to find.

      2 replies →

    • tapete  1 year ago

      > I will not engage further, it's obvious you are not interested in honest discussion of the technical merits.

      Well you are neither, all you do is throw unobjective flames around ("gnupg is trash") and post various claims about bad security without backing them up, implicitly demanding that other people do the leg work of disproving your accusations against the GNU project.

      Are you working for Apple by any chance?

      1 reply →