Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-5455

Sign source archives (tgz, zip, etc) with a public GPG key

    XMLWordPrintable

    Details

    • Backwards Compatibility:
      Fully Compatible

      Description

      === Task ===
      Check integrity and authenticity of the downloaded source archive.

      === Description ===
      You could create a hash (e.g. sha256) of the archive and place it in a file available for download with the archive.
      Then this file containing a hash has to be signed with a trusted GPG key (for example, anything PKI is good), making the public key widely available.
      That way one could verify the integrity of the file and authenticity of the file.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ernie.hershey Ernie Hershey
              Reporter:
              bpawlak B?a?ej Pawlak
              Participants:
              Votes:
              4 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: