Automated signature verification for downloads
Anthony Bryan
anthonybryan at gmail.com
Fri Apr 18 23:26:26 CEST 2008
Hi,
Metalink Checker (Python) now supports automated signature
verification for downloads with .metalink files.
.metalink files are XML and list mirrors, checksums, signatures, and
other information, used for improving downloads and automating
advanced features. There are about 20 metalink download clients, from
CLI to GUI, on all platforms, from download managers to Web browsers.
Currently, only the cURL project includes signatures in their
.metalinks and only Metalink Checker supports verifying them.
To try it out, download Metalink Checker [1]. You need gnupg or
gpg4win installed for signature verification.
Go to the cURL download page [2] and get a .metalink [3]
If you don't already have it, import the cURL GPG key (you can find it
at the upper right of [2]) or put it in a key.asc file in the same
directory.
At the command line type:
python metalink.py -d -f metalink.cgi
(In most situations, the file would be called
curl-7.18.1.tar.gz.metalink instead of metalink.cgi).
You'll then see:
Downloading to curl-7.18.1.tar.gz
[#########################------------------------------] 47% 1.00/2.12 MB
-----BEGIN PGP SIGNATURE INFORMATION-----
timestamp: Sun, 30 Mar 2008 05:10:27 (Eastern Daylight Time)
fingerprint: 914C533DF9B2ADA2204F586D78E11C6B279D5C91
uid: Daniel Stenberg (Haxx) <daniel at haxx.se>
-----END PGP SIGNATURE INFORMATION-----
[#######################################################] 100% 2.12/2.12 MB
Any comments/suggestions?
More metalink info at http://en.wikipedia.org/wiki/Metalink
--
(( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
)) Easier, More Reliable, Self Healing Downloads
[1] http://metamirrors.nl/metalinks_project
[2] http://curl.haxx.se/download.html
[3] http://curl.haxx.se/metalink.cgi?curl=tar.gz
More information about the Gnupg-users
mailing list