Problems with trust path when packaging about argcomplete HOT 6 OPEN

I can provide you with more information here, once the tooling is ready! :)

I heard it's really tasty! 🥯

If you are going that route, please consider a trust path from your current OpenPGP key 29BCBADB4ECAAAC2382699388AFAFCD242818A52 to the new tooling (e.g. by introducing the new way of signing in a signed commit).

Just for the record, this is how the openssh project does that. They do have an "allowed signers" file with all SSH keys: https://github.com/openssh/openssh-portable/blob/master/.git_allowed_signers and the "trust path" is provided by an OpenPGP signature over that file: https://github.com/openssh/openssh-portable/blob/master/.git_allowed_signers.asc

HTH 👋

from argcomplete.

@kislyuk the projects that may be of interest to you are https://codeberg.org/openpgp-card/ssh-agent/, https://codeberg.org/openpgp-card/openpgp-card-tools/, https://codeberg.org/openpgp-card/oct-git and https://codeberg.org/heiko/rsop

With those you can basically maintain an OpenPGP card based workflow for signing and decryption without having to use GnuPG at all.

from argcomplete.

Hi! Thanks for your interest in argcomplete and for your efforts to help package and distribute it.

While I agree with the overall design of the web of trust and with the goals of OpenPGP-based software distribution infrastructure, the only implementation that is available to me in my development environments is GnuPG, which has major usability issues that make me disinclined to continue its use. I welcome suggestions of other OpenPGP implementations that have better UX standards compared to GnuPG.

I plan to continue to manage releases for this project for the foreseeable future. If that ever changes, you can expect it to be reflected by the state of this project on a trusted platform like GitHub: the repository will either be transferred to a new organization or a new maintainer, with committer access updated correspondingly.

from argcomplete.

the only implementation that is available to me in my development environments is GnuPG, which has major usability issues that make me disinclined to continue its use.

A common theme 🥲

I welcome suggestions of other OpenPGP implementations that have better UX standards compared to GnuPG.

Do you use a smartcard to work with your OpenPGP private key? If so, there may be something to beta test soon 😉

I plan to continue to manage releases for this project for the foreseeable future.

Just to clarify: Currently, this means you will not be signing tags going forward?

from argcomplete.

I don't have a smartcard, but I have a bunch of yubikeys. Would those work?

Currently, this means you will not be signing tags going forward?

Not with gnupg. It has interrupted too many of my releases with ridiculous bugs and otherwise stolen too much of my time.

It looks like git and github now support signing with SSH keys. If I sign my tags with SSH keys and post my SSH public key in my various online profiles, would that work for you?

from argcomplete.

I don't have a smartcard, but I have a bunch of yubikeys. Would those work?

Yes. (I should have specified what I'm referring to as smartcard is an OpenPGP card - those come in all forms, not just the classic oldschool "smartcard").
I can provide you with more information here, once the tooling is ready! :)

If I sign my tags with SSH keys and post my SSH public key in my various online profiles, would that work for you?

On Arch Linux we have only now started to look into how to do OpenSSH based signature verification sensibly.
If you are going that route, please consider a trust path from your current OpenPGP key 29BCBADB4ECAAAC2382699388AFAFCD242818A52 to the new tooling (e.g. by introducing the new way of signing in a signed commit).

from argcomplete.