lj3954
commented
4 months ago Nearly all distros sign only checksum files, so this should be added to the checksum building logic.
Open lj3954 opened 4 months ago
lj3954
commented
4 months ago Nearly all distros sign only checksum files, so this should be added to the checksum building logic.
I confirm this feature has not been previously requested
Describe the solution you'd like Quickget should be able to verify files with PGP keys, or other more secure methods, whenever such is available. This would improve security. Quickget_configs must provide these keys, within the WebSource struct. In addition, the json files distributed through CI should also be signed, to ensure that there's virtually no chance of tampering
Describe alternatives you've considered There are no alternatives. The current method of using checksums fetched from the same mirror (which, to be clear, should still be done in addition) is not anywhere near as secure as PGP keys. It more or less serves to verify that the file you downloaded matches the file on the server, rather than what the source of the file is.
Additional context PGP keys must be added as constant values, and never fetched from the internet in CI or at any point. That would defeat the entire purpose. Obviously, care must be taken to ensure that the keys are correct for the maintainers of each project.