Digital signatures in Metalinks
Anthony Bryan
implementation of this feature.
Metalink Checker (Python) now supports automated signature
verification for downloads.
currently, only the cURL project includes signatures in their
.metalinks and only Metalink Checker supports verifying them.
to try it out, get Metalink Checker. You need gnupg or gpg4win
installed for signature verification. should work on win or linux.
if you don't already have it, import the cURL GPG key (you can find it
at the upper right of http://curl.haxx.se/download.html ) or put it in
a key.asc file in the same directory.
at the command line type:
python metalink.py -d -f http://curl.haxx.se/metalink.cgi?curl=tar.gz
Downloading to curl-7.18.1.tar.gz
[#########################------------------------------] 47% 1.00/2.12 MB
-----BEGIN PGP SIGNATURE INFORMATION-----
timestamp: Sun, 30 Mar 2008 05:10:27 (Eastern Daylight Time)
fingerprint: 914C533DF9B2ADA2204F586D78E11C6B279D5C91
uid: Daniel Stenberg (Haxx) <dan...@haxx.se>
-----END PGP SIGNATURE INFORMATION-----
[#######################################################] 100% 2.12/2.12 MB
On Fri, Apr 18, 2008 at 3:18 PM, Neil M. <nabb...@gmail.com> wrote:
>
> I updated the wiki page to illustrate the breakdown of feature groups
> more clearly. I took a look at the table in the Wikipedia Metalink
> article and tried to base it on those features. I recommended everyone
> take a look at your favorite metalink client and see what grouping it
> falls into and what that might mean. Also feel free to add any features
> I might have forgotten.
wiki looks good, I added where I thought clients fit in roughly, which
I see has been updated
http://groups.google.com/group/metalink-discussion/web/metalink-support-levels
> As for a test suite, I think the best we've got so far is my collection
> here:
>
> http://metalinks.svn.sourceforge.net/viewvc/metalinks/checker/testcases/
did I totally miss this? I had no idea you did em!
> As I've mentioned before the included files are huge (openoffice) and
> not very conducive to quick testing. I'm thinking cURL may be a good
> candidate as a replacement for the data files since they are very small
> packages (~2MB). Anyone else have any suggestions on testing?
curl seems good.
> Finally, I recently released Metalink Checker 3.7. This is the first
> Metalink Client to implement PGP signature checking. Right now the cURL
> project seems to be the only one generating metalink files with PGP
> signatures. You can get the latest version of Metalink Checker here
> (Python and GPG required for PGP signature checks, http://www.gnupg.org):
>
> http://metalinks.svn.sourceforge.net/viewvc/metalinks/checker/metalink.py?view=markup
yay!
--
(( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
)) Easier, More Reliable, Self Healing Downloads