OpenPGP verification of downloaded tarball for GHC
Created by: Franciman
Hi,
I tried using gpg
to make integrity verification of the downloaded tarball for GHC.
It seemed useful to me.
For now I just made a sketchy implementation, probably it should be an optional feature and more configurable.
Also I could use some advice on how to deal with the public key used for signing ghc tarballs, for now I saved it in a file and told gpg that it's trusted (forcing it with the use of --trusted-key option).
Let me know what you think about it!
Merge request reports
Activity
I'm generally not very comfortable with anything that involves gpg and "automatic verification".
Cryptographic signing has many pitfalls and one is blindly downloading/trusting keys. It makes the whole point of it void.
In addition, we are not restricted to GHC upstream as the source for tarballs.
I think that verifying tarball integrity
Well, that can be done purely by sha checksums. Signatures are about trust. Building and managing trust is a manual procedure.
We would probably have to extend our .download-urls format somehow so we can feed it sha checksums and signature files per tarball. The latter could be optionally used for verification (cli switch) without any automatic trust setting.