Teams/Apt/Spec/AptSign - Debian Wiki
Over the past few years, it has become clear that OpenPGP is a major disappointment for repository signing, the interfaces around being the cause for multiple security vulnerabilities; and limited development speed and deprecation of algorithms and key sizes causing uncertainty about long term safety of LTS releases.
This document outlines a new approach to signing repositories. For the time being, one algorithm is being used: Ed25519 with SHA512, also used by signify-openbsd, minisign, and OpenSSH (ssh-ed25519).
earlier proof of concept (C++): https://gist.github.com/julian-klode/4514ce39d3dc62647b502e5a8cf6a3ef (slightly different format, but proofs enough :D)
Signatures: <algorithm> <base64(public signing key||signature)> <algorithm> <base64(public signing key||signature)> <algorithm> <base64(public signing key||signature)>
Each line must start with exactly one space character, followed by a base64 block. There must be no whitespace following the base64 block.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24801728/Screenshot_2023_07_21_at_1.45.12_PM.jpeg)
