Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upOffer alternative to GPG: Minisign #2343
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
andrewdavidwong
Sep 30, 2016
Member
I think this is unlikely to happen for several reasons:
- PGP is a well-known, widely accepted standard.
- We also provide cryptographic digests (hashes) as an alternative verification method.
- GPG is well-tested and trusted software, whereas Minisign is relatively unknown.
- We couldn't possibly support everyone's favorite verification method. There are too many out there. We don't have the resources to evaluate them, and it probably wouldn't be worth our time.
- GPG already supports ECC.
CC: @rootkovska, @marmarek
|
I think this is unlikely to happen for several reasons:
CC: @rootkovska, @marmarek |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
rugk
commented
Sep 30, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
jedisct1
commented
Sep 30, 2016
|
If it works, don't fix it. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
rugk
commented
Sep 30, 2016
|
It should be an alternative. That's no fix, that's an enhancement. |
rootkovska
closed this
Oct 1, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
rugk commentedSep 29, 2016
PGP/GPG is old and uses RSA keys. There is a new signing tool called Minisign, which is faster and more secure than RSA keys as it uses the well-known elliptical curve Curve25519 included in Ed25519.
It would be nice if Minisign signatures would be offered as an alternative to traditional signatures on the download page of Qubes OS. Additionally, of course, minisign could also be used by Qubes OS internally, e.g. as a ('n additional) verification of updates or similar things...