Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PGP-based Signing and Verification of Packages #22

Open
ghost opened this issue Feb 18, 2016 · 0 comments
Open

PGP-based Signing and Verification of Packages #22

ghost opened this issue Feb 18, 2016 · 0 comments

Comments

@ghost
Copy link

ghost commented Feb 18, 2016

Distributed file hosting has many benefits (see #2), but it also has a downside: every mirror can tamper with files.

To maintain integrity (and make it easier for users to trust the mirrors), we should provide for the ability to sign a mod after it is uploaded, and before it is distributed. This way, users and CKAN can verify that the package has not been tempered with, and contains what the package claims it contains, instead of, say, a Mono exploit that'll work with the Unity engine.

"Trust, but verify" is a very good motto.

@ghost ghost added this to the Content Delivery milestone Feb 18, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

0 participants