Hi Ludo, thanks for heads up :-)
Darshit just opened an issue at https://gitlab.com/gnuwget/wget2/issues/266. If you don't mind, I would add your suggestions there. With Best Regards, Tim On 08/30/2017 02:52 PM, Ludovic Courtès wrote: > Hello! > > Following the GNU Hackers Meeting there was a discussion about the > ability to add signature verification support directly in wget, which > I’ll try to summarize here to get the ball rolling. > > Darshit was suggesting having this: > > wget --verify-signature \ > https://ftp.gnu.org/gnu/recutils/recutils-1.7.tar.gz > > whereby wget would automatically download recutils-1.7.tar.gz.sig and > run gpgv or similar. Having something along these lines would be great > because it could help make things “secure by default”, as the marketing > folks would say. :-) > > The devil is in the detail though, and I was wondering whether having > that feature within wget might raise another set of issues, and > whether/how these could be solved. Here are some examples: > > • Is the file named .sig, .sign, or .asc? > > • Is it the compressed tarball that’s signed or the uncompressed one > (as on kernel.org)? > > • For GNU specifically, should we somehow honor the keyring that’s > published on ftp.gnu.org? > > • What should wget do when a file is signed by an unknown OpenPGP key? > Should it offer to import it in the user’s keyring? Or abort? > > • How would --verify-signature report errors in a way that is > intelligible to the user? > > We dealt with some of these in the “guix import”¹ and “guix refresh”² > tools. For example, the kernel.org and GNU updaters and importers work > slightly differently due to the different conventions being used. These > commands also have a --key-download option to specify how unknown > OpenPGP keys should be handled. > > It might be that the answer is that this feature is too “high level” for > wget after all, or that it should be made available in the form of wget2 > plugins specifically tailored to one web site’s infrastructure > (kernel.org, gnu.org), or that we’d have to live with wget supporting > only one specific convention. > > Thoughts? > > Ludo’. > > ¹ https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-import.html > ² > https://www.gnu.org/software/guix/manual/html_node/Invoking-guix-refresh.html > >
signature.asc
Description: OpenPGP digital signature