@cyrevolt@mastodon.social2026-01-01 02:21:20
This is so beautiful. 🥹
#PGP/#GPG keeps on giving
@cyrevolt@mastodon.social2026-01-01 02:21:20
@mgorny@social.treehouse.systems2026-01-06 07:54:25
#SigStore / #PyPI attestations: #PGP is hard! We must invent a new signing scheme that's so much easier on users.
The tools, after I've spent hours *integrating* them into #Gentoo, and getting them working for everything before:
* Verifying google_auth-2.46.0.tar.gz ...
Provenance signed by a Google Cloud account, but no service account provided; use '--gcp-service-account'
Yeah, I'm sure that's *so much simpler* than PGP.
#security
@mgorny@social.treehouse.systems2026-01-13 10:56:48
Oh, "nice". I see that #GitHub now #PGP-signs commits made via the web UI with its own key, and gives them a green "Verified" label as if *you* actually signed them.
Not that you could ever really trust labels displayed by a third party, but still.
#OpenSource #FreeSoftware