feat: Verify files with PGP keys wherever possible. #4
Assignees
Labels
enhancement
New feature or request
Comments
|
Nearly all distros sign only checksum files, so this should be added to the checksum building logic. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I confirm this feature has not been previously requested
Describe the solution you'd like
Quickget should be able to verify files with PGP keys, or other more secure methods, whenever such is available. This would improve security. Quickget_configs must provide these keys, within the WebSource struct. In addition, the json files distributed through CI should also be signed, to ensure that there's virtually no chance of tampering
Describe alternatives you've considered
There are no alternatives. The current method of using checksums fetched from the same mirror (which, to be clear, should still be done in addition) is not anywhere near as secure as PGP keys. It more or less serves to verify that the file you downloaded matches the file on the server, rather than what the source of the file is.
Additional context
PGP keys must be added as constant values, and never fetched from the internet in CI or at any point. That would defeat the entire purpose. Obviously, care must be taken to ensure that the keys are correct for the maintainers of each project.
The text was updated successfully, but these errors were encountered: