16 Mar
2021
16 Mar
'21
3:04 p.m.
On Tue, Mar 16, 2021 at 9:42 AM Christian Heimes <christian@python.org> wrote:
GPG signatures are problematic because GPG is awful.
What is the problem here? Most of the verification for external downloads, at the moment, seems to be via GPG.
Sigstore [2] might become an alternative in the future.
TIL. Seems very recent - https://security.googleblog.com/2021/03/introducing-sigstore-easy-code-signi...
Thank you, Senthil