You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2018/02/09 16:26:00 UTC
[jira] [Created] (CLOUDSTACK-10280) Please use HTTPS for KEYS, sigs
and hashes
Sebb created CLOUDSTACK-10280:
---------------------------------
Summary: Please use HTTPS for KEYS, sigs and hashes
Key: CLOUDSTACK-10280
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280
Project: CloudStack
Issue Type: Improvement
Security Level: Public (Anyone can view this level - this is the default.)
Reporter: Sebb
The download page is generally fine.
However the links to the KEYS, sigs (PGP) and hashes use http; ideally they should use https.
Also the gpg command should read:
gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc apache-cloudstack-X.X.X-src.tar.bz2
i.e. both the detached sig and the artifact itself should be specified.
See: https://www.apache.org/info/verification.html#CheckingSignatures
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)