Comment by woodruffw

1 year ago

Just for disambiguation: ECDSA is a signing algorithm, not a protocol or toolkit like PGP. PGP can produce ECDSA signatures through an extension RFC, but it's not a core part of OpenPGP.

There is no immediate replacement, because the overwhelming majority of packages never bothered to sign with PGP (and all evidence points to the overwhelming majority of signatures never being verified). In other words, this is much closer to removing "dead" code than to killing an active feature.

Longer term, the plan is to integrate Sigstore[1]-based signatures.

[1]: https://www.sigstore.dev/

0 comments

woodruffw

Reply