Re: [Bug-wget] feature request: automatically check OpenPGP signatures

[Tim Ruehsen]

Hello Neal,

there already is a standard for such things, called Metalink, supported by 
wget (and most other download tools). The standard also contains support for 
OpenPGP signatures.

[1]https://en.wikipedia.org/wiki/Metalink
[2]https://tools.ietf.org/html/rfc5854
[3]https://tools.ietf.org/html/rfc6249
[4]http://www.metalinker.org/

Tim

On Tuesday 21 June 2016 12:15:44 Neal H. Walfield wrote:
> Hi wget developers,
> 
> It is unfortunately increasingly common that tutorials, howtos and
> installation programs do something like:
> 
>   wget --no-check-certificate https://some.server/path/install.sh
>   chmod a+x install.sh
>   ./install.sh
> 
> Ouch!
> 
> It would be great if wget had an option to specify an OpenPGP
> fingerprint that should be used to check a signature.  I imagine
> something like this:
> 
>   wget --check-sig 8F17777118A33DDA9BA48E62AACB3243630052D9 http://...
> 
> (The signature could either be inline, which would prevent the use of
> the file until the signature is verified, which is arguably good, or
> automatically looked for in a separate file called, say, filename.sig,
> by default.)
> 
> For users who are just copying and pasting, this represents no
> additional work while adding a fair amount of protection.  For
> developers, it is a bit more work, but they should be providing
> signatures anyways.  For those who already provide signatures, this
> would help ensure that people actually check them and it would
> simplify the installation guides.  See, for instance, tails:
> 
>   https://tails.boum.org/install/expert/usb/
> 
> Thanks for considering this feature request!
> 
> :) Neal

signature.asc
Description: This is a digitally signed message part.