You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dangerzone will soon have a dependency to cosign to verify signatures of the container images. The cosign binary should be either vendorized or depended-on, depending on the platform.
Currently, only debian-related distribution provide packages for it. Fedora doesn't offer packages just yet.
Debian
cosign debian tracker reports that it's available on Trixie (testing), but not on other platforms.
Ubuntu packages it for plucky (25.04, not supported yet by DZ)
As we only have one package for all debian-distributions and derivatives, I'm wondering if we could include it in the Recommends field, from the docs:
Recommends
This declares a strong, but not absolute, dependency.
The Recommends field should list packages that would be found together with this one in all but unusual installations.
Vendorizing
For distributions that don't offer cosign packages, we should probably vendorize it. One way to do it would be to do the verification steps ourselves and then include a hash of the latest known release for all supported platforms.
The text was updated successfully, but these errors were encountered:
almet
added
the
icu
Issues related with independent container updates
label
Jan 30, 2025
Dangerzone will soon have a dependency to cosign to verify signatures of the container images. The cosign binary should be either vendorized or depended-on, depending on the platform.
Currently, only debian-related distribution provide packages for it. Fedora doesn't offer packages just yet.
Debian
As we only have one package for all debian-distributions and derivatives, I'm wondering if we could include it in the
Recommendsfield, from the docs:Vendorizing
For distributions that don't offer
cosignpackages, we should probably vendorize it. One way to do it would be to do the verification steps ourselves and then include a hash of the latest known release for all supported platforms.The text was updated successfully, but these errors were encountered: