/? https://www.google.com/search?q=removed+gpg+and+sigstore+onl...
IIRC OpenPGP signatures do work with W3C VC; there's a URI for the key type and algorithm?
"Chapter 8. Signing container images" and any other OCI artifact: https://docs.redhat.com/en/documentation/red_hat_enterprise_... :
> You can use a GNU Privacy Guard (GPG) signature or a sigstore signature to sign your container image
--
"What does a PGP signature on a Git commit prove?" https://news.ycombinator.com/item?id=26640915
"Git-signatures – Multiple PGP signatures for your commits" (2019) https://news.ycombinator.com/item?id=19183803#19186012
"Linked Data Signatures for GPG" > GpgLinkedDataKeyClass2020, GpgSignature2020: https://gpg.jsld.org/ .. spec: https://gpg.jsld.org/contexts/
"PGP Vocabulary v1" (2021) > PgpVerificationKey2021, PgpSignature2021:https://or13.github.io/lds-pgp2021/
"Verifiable Credentials with PGP" (2022) https://transmute-industries.github.io/vc-pgp/
--
A blog post from 2022 on how to do artifact key revocation with Sigstore Fulcio, Rekor, and AWS Lambda; but revocation transparency https://blog.sigstore.dev/dont-panic-a-playbook-for-handling...
"Why you can’t use Sigstore without Sigstore" (2023) https://blog.sigstore.dev/why-you-cant-use-sigstore-without-...
"Model authenticity and transparency with Sigstore" https://next.redhat.com/2025/04/10/model-authenticity-and-tr...
sigstore/model-transparency: https://github.com/sigstore/model-transparency
westurner•4mo ago
"RPM 6.0 Released With OpenPGP Improvements & Enforces Signature Checking By Default" (2025) https://www.phoronix.com/news/RPM-6.0-Released