[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] feature request: automatically check OpenPGP signatures

From: Tim Ruehsen
Subject: Re: [Bug-wget] feature request: automatically check OpenPGP signatures
Date: Wed, 22 Jun 2016 10:33:50 +0200
User-agent: KMail/4.14.10 (Linux/4.6.0-1-amd64; KDE/4.14.21; x86_64; ; )

Hello Neal,

there already is a standard for such things, called Metalink, supported by 
wget (and most other download tools). The standard also contains support for 
OpenPGP signatures.



On Tuesday 21 June 2016 12:15:44 Neal H. Walfield wrote:
> Hi wget developers,
> It is unfortunately increasingly common that tutorials, howtos and
> installation programs do something like:
>   wget --no-check-certificate https://some.server/path/install.sh
>   chmod a+x install.sh
>   ./install.sh
> Ouch!
> It would be great if wget had an option to specify an OpenPGP
> fingerprint that should be used to check a signature.  I imagine
> something like this:
>   wget --check-sig 8F17777118A33DDA9BA48E62AACB3243630052D9 http://...
> (The signature could either be inline, which would prevent the use of
> the file until the signature is verified, which is arguably good, or
> automatically looked for in a separate file called, say, filename.sig,
> by default.)
> For users who are just copying and pasting, this represents no
> additional work while adding a fair amount of protection.  For
> developers, it is a bit more work, but they should be providing
> signatures anyways.  For those who already provide signatures, this
> would help ensure that people actually check them and it would
> simplify the installation guides.  See, for instance, tails:
>   https://tails.boum.org/install/expert/usb/
> Thanks for considering this feature request!
> :) Neal

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]