[andycaine]

Some of the reservations around GPG and PKI are understandable. GPG signing clearly works for OS package managers where there is more control, but it's been a failure on PyPi, RubyGems and Maven.

I'd love to see npm adopt keyless signing like PyPi are doing with https://peps.python.org/pep-0740/.

[lrvick]

Keyless signing is not a real thing. Trust online is always anchored to keys, even if short lived. Keyless signing just means letting a centralized oracle blind sign for you with trust anchored in a CA key of some kind in most cases, that an unknown number of people can tamper with.

Also GnuPG is not PGP.

My team and I dual PGP sign all packages in stagex with smartcards after confirmed determinstic builds. It works great, and avoids trust in any single party or computer. We even do this for all our python packages as pip will not allow it.

It is a single command with a rust binary to setup a PGP smartcard out of the package, with a backup. (keyfork) All devs should be PGP signing releases, reviews, and commits so we have a paper trail blackhats cannot inject themselves into.

There are no excuses other than misconceptions and misinformation on this topic being normalized.

[andycaine]

That's great - PGP signing works for you in your org.

But the fact is it hasn't worked for package repos like PyPi, and it won't for npm, because in a distributed, low-trust ecosystem like npm, you can't easily bind identities to PGP keys or have any confidence in the key management practices of package signers.

And of course "keyless" signing isn't literally keyless. But tools like sigstore remove the need for the management of long-lived keys and can bind a signature to an identity verified by a trusted IdP, solving some of the main issues with adopting PGP signatures.