Warelock Incorporated Information Systems

 https://www.agwa.name/blog/post/ssh_signatures Did you know that you can use the  ssh-keygen  command to sign and verify signatures on arbitrary data, like files and software releases? Although this feature isn't super new - it was added in 2019 with OpenSSH 8.0 - it seems to be little-known. That's a shame because it's super useful and the most viable alternative to PGP for signing data. If you're currently using PGP to sign data, you should consider switching to SSH signatures. Here's why I like SSH signatures: It's not PGP.  For years, security professionals have been  sounding the alarm on PGP , including its most popular implementation, GnuPG/GPG. PGP is absurdly complex, has an awful user experience, and is full of crufty old cryptography which shouldn't be touched with a ten foot pole. SSH is everywhere, and people already have SSH keys.  If you use Debian Bullseye or Ubuntu 20.04 or newer, you already have a new enough version of SSH installed. And...

 https://latacora.micro.blog/2019/07/16/the-pgp-problem.html " Cryptography engineers have been tearing their hair out over PGP’s deficiencies   for (literally) decades. When other kinds of engineers get wind of this, they’re shocked. PGP is bad? Why do people keep telling me to use PGP? The answer is that they shouldn’t be telling you that, because PGP is bad and needs to go away. There are, as you’re about to see, lots of problems with PGP. Fortunately, if you’re not morbidly curious, there’s a simple meta-problem with it: it was designed in the 1990s, before serious modern cryptography. No competent crypto engineer would design a system that looked like PGP today, nor tolerate most of its defects in any other design. Serious cryptographers have largely given up on PGP and don’t spend much time publishing on it anymore ( with a notable exception ). Well-understood problems in PGP have gone unaddressed for over a decade because of this. Two quick notes: first, we wrote this f...