bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Signature verification support in wget?


From: Tim Rühsen
Subject: Re: [Bug-wget] Signature verification support in wget?
Date: Wed, 30 Aug 2017 15:18:44 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

Hi Ludo,

thanks for heads up :-)

Darshit just opened an issue at https://gitlab.com/gnuwget/wget2/issues/266.


If you don't mind, I would add your suggestions there.


With Best Regards, Tim



On 08/30/2017 02:52 PM, Ludovic Courtès wrote:
> Hello!
> 
> Following the GNU Hackers Meeting there was a discussion about the
> ability to add signature verification support directly in wget, which
> I’ll try to summarize here to get the ball rolling.
> 
> Darshit was suggesting having this:
> 
>   wget --verify-signature \
>     https://ftp.gnu.org/gnu/recutils/recutils-1.7.tar.gz
> 
> whereby wget would automatically download recutils-1.7.tar.gz.sig and
> run gpgv or similar.  Having something along these lines would be great
> because it could help make things “secure by default”, as the marketing
> folks would say.  :-)
> 
> The devil is in the detail though, and I was wondering whether having
> that feature within wget might raise another set of issues, and
> whether/how these could be solved.  Here are some examples:
> 
>   • Is the file named .sig, .sign, or .asc?
> 
>   • Is it the compressed tarball that’s signed or the uncompressed one
>     (as on kernel.org)?
> 
>   • For GNU specifically, should we somehow honor the keyring that’s
>     published on ftp.gnu.org?
> 
>   • What should wget do when a file is signed by an unknown OpenPGP key?
>     Should it offer to import it in the user’s keyring?  Or abort?
> 
>   • How would --verify-signature report errors in a way that is
>     intelligible to the user?
> 
> We dealt with some of these in the “guix import”¹ and “guix refresh”²
> tools.  For example, the kernel.org and GNU updaters and importers work
> slightly differently due to the different conventions being used.  These
> commands also have a --key-download option to specify how unknown
> OpenPGP keys should be handled.
> 
> It might be that the answer is that this feature is too “high level” for
> wget after all, or that it should be made available in the form of wget2
> plugins specifically tailored to one web site’s infrastructure
> (kernel.org, gnu.org), or that we’d have to live with wget supporting
> only one specific convention.
> 
> Thoughts?
> 
> Ludo’.
> 
> ¹ https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-import.html
> ² 
> https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-refresh.html
> 
> 

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]