OpenPGP verification of downloaded tarball for GHC

Created by: Franciman

Hi, I tried using gpg to make integrity verification of the downloaded tarball for GHC. It seemed useful to me. For now I just made a sketchy implementation, probably it should be an optional feature and more configurable. Also I could use some advice on how to deal with the public key used for signing ghc tarballs, for now I saved it in a file and told gpg that it's trusted (forcing it with the use of --trusted-key option). Let me know what you think about it!

Created by: Franciman

I've fixed errors given by shellcheck, and I've put the correct URL for ghc public key download. Previously it referred to my fork's repository. Now the test is going to fail since in haskell/ghcup there is not the .ghc-public-key file yet.

I'm generally not very comfortable with anything that involves gpg and "automatic verification".

Cryptographic signing has many pitfalls and one is blindly downloading/trusting keys. It makes the whole point of it void.

In addition, we are not restricted to GHC upstream as the source for tarballs.

Created by: Franciman

Makes sense. How about verifying the signature using the user's keyring, then? Shouldn't other sources provide signatures or checksums too? I think that verifying tarball integrity is important, especially when the tarball contains an executable.

I think that verifying tarball integrity

Well, that can be done purely by sha checksums. Signatures are about trust. Building and managing trust is a manual procedure.

We would probably have to extend our .download-urls format somehow so we can feed it sha checksums and signature files per tarball. The latter could be optionally used for verification (cli switch) without any automatic trust setting.