feature request: automatically check OpenPGP signatures

Neal H. Walfield neal at walfield.org
Tue Jun 21 15:03:05 CEST 2016


On Tue, 21 Jun 2016 13:59:53 +0200,
Robert J. Hansen wrote:
> > It is unfortunately increasingly common that tutorials, howtos and
> > installation programs do something like:
> > 
> >   wget --no-check-certificate https://some.server/path/install.sh
> >   chmod a+x install.sh
> >   ./install.sh
> Let me make sure I understand this:
> (a) People care so little about security they'll disable certificate
>     checks, but
> (b) The same people who care so little about security will care
>     enough about it to make OpenPGP signatures available.

I have a less disingenuous take.  The problem has to do with
self-signed certificates.  People have gone to the trouble of enabling
TLS on their web servers (yeah!), but they don't want to pay for a
certificate (which are of questionable value, anyways).  This is
starting to change thanks to Let's Encrypt, but Let's Encrypt has just
started and the required tools are not yet integrated into stable OS

Also, you ignore that this feature makes it easier for people to check
signatures, which are already available.

:) Neal

More information about the Gnupg-devel mailing list