Verification of OS artifacts without stateful keyrings (asg2025)

Chaos Computer Club - recent events feed (high quality)

CCC media team에서 제공하는 콘텐츠입니다. 에피소드, 그래픽, 팟캐스트 설명을 포함한 모든 팟캐스트 콘텐츠는 CCC media team 또는 해당 팟캐스트 플랫폼 파트너가 직접 업로드하고 제공합니다. 누군가가 귀하의 허락 없이 귀하의 저작물을 사용하고 있다고 생각되는 경우 여기에 설명된 절차를 따르실 수 있습니다 https://ko.player.fm/legal.

7d ago 21:40

MP4•에피소드 홈

Many OS artifacts today are still verified using proprietary, stateful keyring formats. With the "File Hierarchy for the Verification of OS Artifacts (VOA)" an attempt is made to rid the ecosystem of this limitation by implementing a generic lookup directory. With extensibility in mind, this unifying hierarchy currently provides integration for OpenPGP, with further integrations in planning. While working on improvements to the [ALPM](https://alpm.archlinux.page) ecosystem, the way packages and other OS artifacts are currently verified on Arch Linux has been evaluated. Noticing the extensive vendor lock-in to GnuPG and with today's widespread availability of [Stateless OpenPGP](https://wiki.archlinux.org/title/Stateless_OpenPGP) implementations in mind, a plan was hatched to create a more generic, stateless approach. A specification and implementation for the [UAPI group](https://uapi-group.org/) has been started to create a ["File Hierarchy for the Verification of OS Artifacts (VOA)"](https://github.com/uapi-group/specifications/pull/134). This approach is meant to be technology agnostic and allow further integrations, such as SSH and X.509. Follow along for an overview of what this specification is trying to improve upon and how today's tools could benefit from it in the future. Licensed to the public under https://creativecommons.org/licenses/by/4.0/de/ about this event: https://cfp.all-systems-go.io/all-systems-go-2025/talk/7DDSVZ/

1974 에피소드

#Tech #Ccc Congress Hacking Security Netzpolitik #Germany #CCC media team #Video