You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A client receives a package that is signed by Arch. Why shouldn't it can publish package data (including publisher signature) to public log? Why you should wait until the package's publisher or Arch, do that?
This way we have a more decentralized audition, too
The text was updated successfully, but these errors were encountered:
Arch packages are signed using pgp keys which are generally multi-purpose. For binary transparency to be effective you need a complete view of all signed data, this is why additional signatures are created.
You could in theory create these signatures yourself by deploying pacman-bintrans-sign yourself.
The transparency signatures can be submitted to rekor.sigstore.dev by anyone, but the pacman-bintrans client is currently just rejecting them instead if they aren't already included in the log.
A client receives a package that is signed by Arch. Why shouldn't it can publish package data (including publisher signature) to public log? Why you should wait until the package's publisher or Arch, do that?
This way we have a more decentralized audition, too
The text was updated successfully, but these errors were encountered: