Extend OpenPGP signing support with Stateless OpenPGP

[dvzrv]

mkosi commit the issue has been seen with

baab5c5

Used host distribution

Arch Linux

Used target distribution

Arch Linux

Linux kernel version used

6.10.10-arch1-1

CPU architectures issue was seen on

x86_64

Unexpected behaviour you saw

Currently it is only possible to sign the SHA256SUMS file using gpg.
However, gnupg is a complex thing to get working properly (see #3040) and also starts to diverge from OpenPGP compatibility in >=2.4.

Better, more simple (and stateless) alternatives for the "sign an artifact" use-case exist with Stateless OpenPGP (SOP). With rsop we even have a SOP implementation with smartcard support!

To that end, it would be great to extend the signing capabilities in mkosi by allowing to set a specific OpenPGP implementation (e.g. using an OpenPGPTool / --openpgp-tool option in the [Validation] section).
The Key option would then need to support setting either an OpenPGP fingerprint (in the case of gpg) or a path to a key (or certificate) in the case of SOP implementations.

Additionally, it would be good to rename the currently used options in the [Validation] section: Sign to OpenPGPSign and Key to OpenPGPKey (that way one could use several signing schemes in parallel, e.g. the ones discussed in #624).

Closing, I would like to add, that .gpg is not a good signature suffix for OpenPGP signatures (e.g. .sig might be better as it is not OpenPGP implementation specific and indicates that it is a signature and not possibly a certificate or a keyring, etc.), but I guess that is currently somewhat fixed due to how sysupdate.d expects it. 🥲

Used mkosi config

[Output]
Format=disk
SplitArtifacts=yes

[Content]
Bootable=yes
Bootloader=systemd-boot
Hostname=arch
Packages=
	base
	linux
	nftables
	openssh
	systemd
UnifiedKernelImageFormat=%i-%v+&c
UnifiedKernelImages=yes

[Distribution]
Architecture=x86-64
Distribution=arch

[Host]
RuntimeScratch=no
RuntimeSize=12G

[Validation]
Checksum=yes
Key=<my-key-fingerprint>
Sign=yes

mkosi output

‣  Signing SHA256SUMS…
gpg: using "991F6E3F0765CF6295888586139B09DA5BF0D338" as default secret key for signing

[q2dg]

What about minisign? (https://jedisct1.github.io/minisign)

[wiktor-k]

What about minisign? (https://jedisct1.github.io/minisign)

I think this is a separate issue. SOP produces OpenPGP artifacts so systemd may verify it just fine with their existing gpg setup. Minisign would require changes on both ends.

I'm not saying it's a bad idea... just a little bit more complex.