search

eric-hawthorne / relish

Automatically exported from code.google.com/p/relish
BSD 3-Clause "New" or "Revised" License
0 stars 0 forks source link

Implement signing of shared artifacts #49

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Both the metadata.txt file and version zip files for a shared (published) 
artifact should be signed using the secret private key of the origin, so that 
the files' content can be verified using the public key of the origin.

The origin public key should be certified as belonging to the origin name. This 
can be done by getting the origin public key - origin name association signed 
by relish.pl's secret certifying private key. Then the association can be 
verified using relish.pl's public key, which can be distributed with each 
relish distribution.

Original issue reported on code.google.com by relis...@gmail.com on 29 Sep 2013 at 3:00

GoogleCodeExporter commented 9 years ago 
The signing of artifact version sip files is done.

Signing of metadata.txt file is not done.

Original comment by relis...@gmail.com on 1 Jan 2014 at 11:40