Closed jmgurney closed 1 year ago
The format is stable, and there are no reasons to change it, besides adding support for a PQ scheme, but that can be done without breaking backward compatibility.
Minisign has been here since 2015, and signatures from 2015 can still be verified with all current implementations.
The C implementation itself, I don't know :) It's very stable as well, and the common options to generate/verify signatures are unlikely to change.
Some other command-line flags are not very consistent with other implementations. This is fine, but maybe something that's still worth changing before a 1.0 tag is added. So please allow me to do so before committing to not being able to make any changes to the CLI ever ever.
There's a minimal self-contained implementation in Zig that only does verification. Maybe tagging that one 1.0 first would be reasonable. I'll see :)
It's not so much not being able to change the CLI, but ensuring that the existing CLI is stable, that is -V will always be verify or how to specify keys will remain the same. New options can be added, and new functionality as well in a 1.x updates.
I would recommend that this project moves to major version 1.
Per semver (https://semver.org/):
This is a very bad guarantee for a security program like this.