codehash.db
codehash.db copied to clipboard
rootkovska
Organization: PGP signature types
Currently, we have this:
codehash.db/os/qubes/
├── 3.2
│ ├── hash
│ ├── hash.sig.joanna
│ ├── origin.joanna
│ └── origin.sig.joanna
└── vendor_keys
[...]
It's necessary that hash.sig.joanna exist as a separate file (a detached signature file), since multiple people may eventually sign the same hash file. However, it's not necessary for origin.joanna and origin.sig.joanna to exist as two separate files, since origin.joanna could instead be a single clearsigned file. There's no problem with having origin.joanna as a single clearsigned file since it's unique to Joanna. Other people will add their own origin files. (This also doesn't prevent them from signing Joanna's origin.joanna, if for some reason they want to.) One benefit of having clearsigned origin files is that there are fewer files to wade through. Another benefit is that anyone who clicks on a link leading to origin.joanna will immediately see that the message is PGP-signed, and they will already have the signature block. With a detached signature, they'd have to hunt around for the detached signature file separately in order to very Joanna's origin message.
I'm not necessarily suggesting that you should use clearsigs on origin files. I'm just pointing out some of their benefits. Perhaps you'd simply like to leave it up to witnesses to choose whether they'd prefer to use clearsigs or detached sigs. Alternatively, if you want uniformity, you might require one or the other (in which case, this should be specified in the README).
For example, in my pull request (https://github.com/rootkovska/codehash.db/pull/2), my origin files are clearsigned.
