Issue #2070
open
This only needs to be mentioned as a tradeoff as we'd need more rationale than that for moving away from gpg for signing releases (we would need a replacement tool that would work for Replicant).
References:
- https://tools.ietf.org/html/rfc4880
- Signatures have many parts in their packet:
$ gpg --list-packets recovery-i9300.img.asc
# off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid 5F5DFCC14177E263
version 4, created 1578784783, md5len 0, sigclass 0x00
digest algo 8, begin of digest 78 ba
hashed subpkt 33 len 21 (issuer fpr v4 782F9DDBE36BA7F3D4DE49065F5DFCC14177E263)
hashed subpkt 2 len 4 (sig created 2020-01-11)
subpkt 16 len 8 (issuer key ID 5F5DFCC14177E263)
data: [4096 bits]
- Type of work Unknown, Wiki editions added
Also available in: Atom
PDF