Y
Hacker News
new
|
ask
|
show
|
jobs
by
sarciszewski
4077 days ago
I recommend RSA (GnuPG) or Ed25519 signatures with two key pairs: A weekly/monthly signing key pair, and a long-term one that is only used to validate the short-term public key.
https://scott.arciszewski.me/blog/2015/01/package-signing-th...
2 comments
eropple
4077 days ago
That's an excellent way to ensure nobody checks your signatures, though. Making it hard means they will be ignored.
link
drdaeman
4077 days ago
Key rollover and certificate trust chains don't work in Android world.
link