[Bug-wget] Signature verification support in wget?

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] Signature verification support in wget?

From:	Ludovic Courtès
Subject:	[Bug-wget] Signature verification support in wget?
Date:	Wed, 30 Aug 2017 14:52:10 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)

Hello!

Following the GNU Hackers Meeting there was a discussion about the
ability to add signature verification support directly in wget, which
I’ll try to summarize here to get the ball rolling.

Darshit was suggesting having this:

  wget --verify-signature \
    https://ftp.gnu.org/gnu/recutils/recutils-1.7.tar.gz

whereby wget would automatically download recutils-1.7.tar.gz.sig and
run gpgv or similar.  Having something along these lines would be great
because it could help make things “secure by default”, as the marketing
folks would say.  :-)

The devil is in the detail though, and I was wondering whether having
that feature within wget might raise another set of issues, and
whether/how these could be solved.  Here are some examples:

  • Is the file named .sig, .sign, or .asc?

  • Is it the compressed tarball that’s signed or the uncompressed one
    (as on kernel.org)?

  • For GNU specifically, should we somehow honor the keyring that’s
    published on ftp.gnu.org?

  • What should wget do when a file is signed by an unknown OpenPGP key?
    Should it offer to import it in the user’s keyring?  Or abort?

  • How would --verify-signature report errors in a way that is
    intelligible to the user?

We dealt with some of these in the “guix import”¹ and “guix refresh”²
tools.  For example, the kernel.org and GNU updaters and importers work
slightly differently due to the different conventions being used.  These
commands also have a --key-download option to specify how unknown
OpenPGP keys should be handled.

It might be that the answer is that this feature is too “high level” for
wget after all, or that it should be made available in the form of wget2
plugins specifically tailored to one web site’s infrastructure
(kernel.org, gnu.org), or that we’d have to live with wget supporting
only one specific convention.

Thoughts?

Ludo’.

¹ https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-import.html
² https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-refresh.html

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-wget] Signature verification support in wget?, Ludovic Courtès <=
- Re: [Bug-wget] Signature verification support in wget?, Tim Rühsen, 2017/08/30
- Re: [Bug-wget] Signature verification support in wget?, Darshit Shah, 2017/08/30
  - Re: [Bug-wget] Signature verification support in wget?, Tim Rühsen, 2017/08/30

Prev by Date: Re: [Bug-wget] Compiling against libwget built with ubsan
Next by Date: Re: [Bug-wget] Signature verification support in wget?
Previous by thread: [Bug-wget] Compiling against libwget built with ubsan
Next by thread: Re: [Bug-wget] Signature verification support in wget?
Index(es):
- Date
- Thread