Draft: "Verification of OS Artifacts (VOA)" (!40) · Merge requests · Arch Linux / alpm / alpm

This PR explores how an API/implementation of the current "Verification of OS Artifacts (VOA)" specification could look.

It is split into two parts:

voa-core contains technology-agnostic access logic for a VOA hierarchy
voa-openpgp builds a technology-specific backend for OpenPGP on top of voa-core

(voa-openpgp contains an extremely raw outline of a test: running testkey_loader.sh populates directories under /tmp with a few OpenPGP certificates and one arch package/signature pair. Running main.rs in voa-openpgp attempts to validate the packet's signature)

Edited Feb 12, 2025 by Heiko Schaefer

Admin message

Draft: "Verification of OS Artifacts (VOA)"

Merge request reports