feature request: automatically check OpenPGP signatures

Neal H. Walfield neal at walfield.org
Tue Jun 21 12:15:44 CEST 2016


Hi wget developers,

It is unfortunately increasingly common that tutorials, howtos and
installation programs do something like:

  wget --no-check-certificate https://some.server/path/install.sh
  chmod a+x install.sh
  ./install.sh

Ouch!

It would be great if wget had an option to specify an OpenPGP
fingerprint that should be used to check a signature.  I imagine
something like this:

  wget --check-sig 8F17777118A33DDA9BA48E62AACB3243630052D9 http://...

(The signature could either be inline, which would prevent the use of
the file until the signature is verified, which is arguably good, or
automatically looked for in a separate file called, say, filename.sig,
by default.)

For users who are just copying and pasting, this represents no
additional work while adding a fair amount of protection.  For
developers, it is a bit more work, but they should be providing
signatures anyways.  For those who already provide signatures, this
would help ensure that people actually check them and it would
simplify the installation guides.  See, for instance, tails:

  https://tails.boum.org/install/expert/usb/

Thanks for considering this feature request!

:) Neal



More information about the Gnupg-devel mailing list