All Systems Go! 2025

Verification of OS artifacts without stateful keyrings
2025-09-30 , Gallery

Many OS artifacts today are still verified using proprietary, stateful keyring formats.
With the "File Hierarchy for the Verification of OS Artifacts (VOA)" an attempt is made to rid the ecosystem of this limitation by implementing a generic lookup directory.
With extensibility in mind, this unifying hierarchy currently provides integration for OpenPGP, with further integrations in planning.


While working on improvements to the ALPM ecosystem, the way packages and other OS artifacts are currently verified on Arch Linux has been evaluated.
Noticing the extensive vendor lock-in to GnuPG and with today's widespread availability of Stateless OpenPGP implementations in mind, a plan was hatched to create a more generic, stateless approach.

A specification and implementation for the UAPI group has been started to create a "File Hierarchy for the Verification of OS Artifacts (VOA)".
This approach is meant to be technology agnostic and allow further integrations, such as SSH and X.509.

Follow along for an overview of what this specification is trying to improve upon and how today's tools could benefit from it in the future.

I am a freelance software developer working on Arch Linux.

I am interested in and work on projects related to digital signatures, automation and package management.

This speaker also appears in: