Currently we are using GPG for release signing (pretty much like everyone else).
Popularity of GPG for release signing comes from the fact that many people already had it installed for email encryption/signing. Inside a VyOS image, signature checking is the only reason to have it installed.
However, it still comes with all the features no one needs, such as support for multiple outdated cipher suits and ability to embed a photo in the key file. More importantly, web of trust, the basic premise of PGP, is never used in release signing context. Once you have a knowingly authentic image, authenticity of upgrades is checked using a key that comes in the image, and to get their first image people never rely on keyservers either.
Another point is that we are using RSA now, which requires absurdly large keys to be secure.
In 2015, OpenBSD introduced signify. An alternative implementation of the same protocol is minisign, which is also available for Windows and OS X, and in most GNU/Linux distros it's in the repositories now.
Its installed size (complete with libsodium) is less than that of GPG binary alone (not including libgcrypt and some other libs, which I think we only use for GPG). Since it uses elliptic curves, it gets away with much smaller keys, and it doesn't include as much metadata to begin with.
Another issue of GPG is that it creates a /root/.gnupg directory just for release checking. The dir is small so the fact that it's never used again is an aesthetic problem, but we've had that process fail in the past. But, small key size of the Ed25519 algorithm allows passing public keys in command line arguments, so verification process can be completely stateless:
minisign -Vm myfile.txt -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3
I think we should switch to minisign to:
- Simplify release signature checking process for people and scripts alike.
- Avoid creating junk data in the image and avoid junk output (about initializing the PGP dir etc.)
- Keep images smaller.
To ensure key continuity, we can start including the minisign key and update the "add system image" script in 1.2.6, but keep signing releases with both GPG and minisign for now. 1.3.0 can be the last GPG-signed release, so that people can upgrade from any 1.2.x to 1.3.0 securely.