Details
Description
=== Task ===
Check integrity and authenticity of the downloaded source archive.
=== Description ===
You could create a hash (e.g. sha256) of the archive and place it in a file available for download with the archive.
Then this file containing a hash has to be signed with a trusted GPG key (for example, anything PKI is good), making the public key widely available.
That way one could verify the integrity of the file and authenticity of the file.
Attachments
Issue Links
- is related to
-
DOCS-2772 Add links to PGP keys to installation instructions
-
- Closed
-
-
SERVER-4808 Provide repo downloads of older versions of packages
-
- Closed
-
- related to
-
SERVER-8770 Sign RPM packages available via the 10gen yum repository
-
- Closed
-
- links to