Automated signature verification for downloads

Anthony Bryan anthonybryan at gmail.com
Wed Apr 23 09:33:27 CEST 2008


Hi Werner, thanks for replying.

On Wed, Apr 23, 2008 at 2:35 AM, Werner Koch <wk at gnupg.org> wrote:
> On Fri, 18 Apr 2008 23:26, anthonybryan at gmail.com said:
>
>  > .metalink files are XML and list mirrors, checksums, signatures, and
>  > other information, used for improving downloads and automating
>  > advanced features. There are about 20 metalink download clients, from
>  > CLI to GUI, on all platforms, from download managers to Web browsers.
>
>  I read the wikipedia article and brosed the emtalink site but was not
>  abale to find any speicification.  A list of supporting programs is not
>  that helpful to understand the format.

The metalink specification is at
http://www.metalinker.org/implementation.html#spec
I agree, it's not easy enough to find. That will be fixed.

>  > Downloading to curl-7.18.1.tar.gz
>  > [#########################------------------------------] 47% 1.00/2.12 MB
>  > -----BEGIN PGP SIGNATURE INFORMATION-----
>  > timestamp: Sun, 30 Mar 2008 05:10:27 (Eastern Daylight Time)
>  > fingerprint: 914C533DF9B2ADA2204F586D78E11C6B279D5C91
>  > uid: Daniel Stenberg (Haxx) <daniel at haxx.se>
>  > -----END PGP SIGNATURE INFORMATION-----
>
>  I do not understand what this is about.  Using header lines very similar
>  to those defined by OpenPGP is a bit questionable.

In case it wasn't clear, the file is downloaded using the mirrors and
checksum listed in the metalink. Then the file is verified using the
signature in the metalink.

The headers are produced by GnuPG when it verifies the signature
(AFAIK). Is there a problem with this?

The metalink is XML and can be viewed in a text editor. The metalink
used in the example is at http://curl.haxx.se/metalink.cgi?curl=tar.gz
- I think if you view it, it will be clear what's going on.

Here is the portion of the metalink you would probably be most interested in:

<verification>
<hash type="md5">6315db7c4373b586bac5f528322ba10e</hash>
<hash type="sha1">5d72f9fbf3eab6474a8dc22192056119030087f6</hash>
<signature type="pgp" file="curl-7.18.1.tar.gz.asc">
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBH71kDeOEcayedXJERAmfWAJ0bsBFUJ6ooykT2qPeegvIH4KIVqACfRtt5
Rv6MJSuz/b6NItnG7zoYGFw=
=GKuk
-----END PGP SIGNATURE-----
</signature>
</verification>

-- 
(( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
 )) Easier, More Reliable, Self Healing Downloads



More information about the Gnupg-users mailing list