File responses should allow signed files #31
Comments
|
We shall investigate the best practices here, but is this signing the file, or the request / response payload? As discussed in another thread we do supply file MD5s |
|
This is the author of the file signing it, and providing a digital signature (.asc files for gpg/pgp) with the file that you just distribute. (The signatures are roughly speaking (read up on some literature for more details) encrypting a pair of file length and cryptographic hash with the authors private key.) This allows a user to verify that the file he got from the API (including the signature) is actually something the author published. The user will have to obtain the public key of the author via some other means (keyservers most likely, key signing parties, whatever). This is not about making sure that the server handed you the file the API indicated[1][2], but that the file you got handed is one the author published at some point. [1] Since we assume that the API and the server are controlled by the same party, and if not[2] you should be able to check that the server handed you something wrong with proper hashes #30 and file length. |
(Since in parts this API is trying to provide similar things as some package managers, learning some lessons from those is a good thing to do.)
It would be nice if one could optionally sign (most likely GPG (at least that is what most *nix package managers or related tools use, I'll still point towards OpenBSDs signify to indicate that there are alternatives)) mod files, so users of the API could verify that the files are actually the same as the mod creator provided. This removes some need to trust the actual API endpoint too much.
The text was updated successfully, but these errors were encountered: