Determine validation key from asc signature file #219

reidmv · 2021-10-01T19:26:55Z

Rather than expecting that downloaded files will be signed with a known key, simply use the key from the signature asc file.

The purpose of this validation isn't to validate authenticity. It is only to validate digest. Because the packages we download have been signed with multiple different keys over the years, it isn't possible to anticipate a default key and expect it to work for all downloads.

Fixes #216

Adjust message language, add message for moving temp file into target location on successful download

Rather than expecting that downloaded files will be signed with a known key, simply use the key from the signature asc file. The purpose of this validation isn't to validate authenticity. It is only to validate digest.

reidmv added 2 commits October 1, 2021 12:09

Improve logging of peadm::download

bb8a795

Adjust message language, add message for moving temp file into target location on successful download

Determine signing key from asc file

4e3e52a

Rather than expecting that downloaded files will be signed with a known key, simply use the key from the signature asc file. The purpose of this validation isn't to validate authenticity. It is only to validate digest.

reidmv added the bugfix label Oct 1, 2021

reidmv requested a review from a team as a code owner October 1, 2021 19:26

davidsandilands approved these changes Oct 4, 2021

View reviewed changes

davidsandilands merged commit 009b631 into main Oct 4, 2021

davidsandilands deleted the GH-216 branch October 4, 2021 15:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Determine validation key from asc signature file #219

Determine validation key from asc signature file #219

reidmv commented Oct 1, 2021

Determine validation key from asc signature file #219

Determine validation key from asc signature file #219

Conversation

reidmv commented Oct 1, 2021