Automated signature verification for downloads

Anthony Bryan anthonybryan at
Wed Apr 23 09:33:27 CEST 2008

Hi Werner, thanks for replying.

On Wed, Apr 23, 2008 at 2:35 AM, Werner Koch <wk at> wrote:
> On Fri, 18 Apr 2008 23:26, anthonybryan at said:
>  > .metalink files are XML and list mirrors, checksums, signatures, and
>  > other information, used for improving downloads and automating
>  > advanced features. There are about 20 metalink download clients, from
>  > CLI to GUI, on all platforms, from download managers to Web browsers.
>  I read the wikipedia article and brosed the emtalink site but was not
>  abale to find any speicification.  A list of supporting programs is not
>  that helpful to understand the format.

The metalink specification is at
I agree, it's not easy enough to find. That will be fixed.

>  > Downloading to curl-7.18.1.tar.gz
>  > [#########################------------------------------] 47% 1.00/2.12 MB
>  > timestamp: Sun, 30 Mar 2008 05:10:27 (Eastern Daylight Time)
>  > fingerprint: 914C533DF9B2ADA2204F586D78E11C6B279D5C91
>  > uid: Daniel Stenberg (Haxx) <daniel at>
>  I do not understand what this is about.  Using header lines very similar
>  to those defined by OpenPGP is a bit questionable.

In case it wasn't clear, the file is downloaded using the mirrors and
checksum listed in the metalink. Then the file is verified using the
signature in the metalink.

The headers are produced by GnuPG when it verifies the signature
(AFAIK). Is there a problem with this?

The metalink is XML and can be viewed in a text editor. The metalink
used in the example is at
- I think if you view it, it will be clear what's going on.

Here is the portion of the metalink you would probably be most interested in:

<hash type="md5">6315db7c4373b586bac5f528322ba10e</hash>
<hash type="sha1">5d72f9fbf3eab6474a8dc22192056119030087f6</hash>
<signature type="pgp" file="curl-7.18.1.tar.gz.asc">
Version: GnuPG v1.4.6 (GNU/Linux)


(( Anthony Bryan ... Metalink [ ]
 )) Easier, More Reliable, Self Healing Downloads

More information about the Gnupg-users mailing list