Guillem Jover <[email protected]> writes: > * Make the format extensible to other signature formats or workflows > (such as x509, secure-boot, IMA, etc., even if there's currently no > intention to add support for any of this).
I think this is a useful goal to make sure there is no PGP specific assumption lurking. The SSH signature format is low complexity, stable and widely implemented, so maybe supporting this would be possible? If there is a framework to plug things into I may put some cycles into implementing SSHSIG support. I think supporting Sigstore and Sigsum verification would be useful too, since I think in the coming years we'll look at non-transparency-signed software releases in a similar way that we look at non-signed software releases today. /Simon
signature.asc
Description: PGP signature
