Hello Neal, there already is a standard for such things, called Metalink, supported by wget (and most other download tools). The standard also contains support for OpenPGP signatures.
[1]https://en.wikipedia.org/wiki/Metalink [2]https://tools.ietf.org/html/rfc5854 [3]https://tools.ietf.org/html/rfc6249 [4]http://www.metalinker.org/ Tim On Tuesday 21 June 2016 12:15:44 Neal H. Walfield wrote: > Hi wget developers, > > It is unfortunately increasingly common that tutorials, howtos and > installation programs do something like: > > wget --no-check-certificate https://some.server/path/install.sh > chmod a+x install.sh > ./install.sh > > Ouch! > > It would be great if wget had an option to specify an OpenPGP > fingerprint that should be used to check a signature. I imagine > something like this: > > wget --check-sig 8F17777118A33DDA9BA48E62AACB3243630052D9 http://... > > (The signature could either be inline, which would prevent the use of > the file until the signature is verified, which is arguably good, or > automatically looked for in a separate file called, say, filename.sig, > by default.) > > For users who are just copying and pasting, this represents no > additional work while adding a fair amount of protection. For > developers, it is a bit more work, but they should be providing > signatures anyways. For those who already provide signatures, this > would help ensure that people actually check them and it would > simplify the installation guides. See, for instance, tails: > > https://tails.boum.org/install/expert/usb/ > > Thanks for considering this feature request! > > :) Neal
signature.asc
Description: This is a digitally signed message part.