[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Signature verification support in wget?
From: |
Tim Rühsen |
Subject: |
Re: [Bug-wget] Signature verification support in wget? |
Date: |
Wed, 30 Aug 2017 15:18:44 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 |
Hi Ludo,
thanks for heads up :-)
Darshit just opened an issue at https://gitlab.com/gnuwget/wget2/issues/266.
If you don't mind, I would add your suggestions there.
With Best Regards, Tim
On 08/30/2017 02:52 PM, Ludovic Courtès wrote:
> Hello!
>
> Following the GNU Hackers Meeting there was a discussion about the
> ability to add signature verification support directly in wget, which
> I’ll try to summarize here to get the ball rolling.
>
> Darshit was suggesting having this:
>
> wget --verify-signature \
> https://ftp.gnu.org/gnu/recutils/recutils-1.7.tar.gz
>
> whereby wget would automatically download recutils-1.7.tar.gz.sig and
> run gpgv or similar. Having something along these lines would be great
> because it could help make things “secure by default”, as the marketing
> folks would say. :-)
>
> The devil is in the detail though, and I was wondering whether having
> that feature within wget might raise another set of issues, and
> whether/how these could be solved. Here are some examples:
>
> • Is the file named .sig, .sign, or .asc?
>
> • Is it the compressed tarball that’s signed or the uncompressed one
> (as on kernel.org)?
>
> • For GNU specifically, should we somehow honor the keyring that’s
> published on ftp.gnu.org?
>
> • What should wget do when a file is signed by an unknown OpenPGP key?
> Should it offer to import it in the user’s keyring? Or abort?
>
> • How would --verify-signature report errors in a way that is
> intelligible to the user?
>
> We dealt with some of these in the “guix import”¹ and “guix refresh”²
> tools. For example, the kernel.org and GNU updaters and importers work
> slightly differently due to the different conventions being used. These
> commands also have a --key-download option to specify how unknown
> OpenPGP keys should be handled.
>
> It might be that the answer is that this feature is too “high level” for
> wget after all, or that it should be made available in the form of wget2
> plugins specifically tailored to one web site’s infrastructure
> (kernel.org, gnu.org), or that we’d have to live with wget supporting
> only one specific convention.
>
> Thoughts?
>
> Ludo’.
>
> ¹ https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-import.html
> ²
> https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-refresh.html
>
>
signature.asc
Description: OpenPGP digital signature