You are viewing a plain text version of this content. The canonical link for it is here.

Posted to repository@apache.org by Nick Chalko <ni...@chalko.com> on 2004/07/15 22:59:31 UTC

Trusting md5

I just wanted to walk through the steps need to trust a md5 signature, 
using mirrors.
Given a unified directory/ repository structure between mirrors and the 
official source.
Here is what I think the steps are

   1. User/tools visits the official repository for a resource, and gets
      a list of mirrors.
   2. User/tool browses and finds desired download from a mirror. 
      http://mirror.org/group/project/artifact.zip
   3. User/tool downloads matching MD5 from https of official site. 
      say  https:/repo.apache.org/group/project/artifact.zip.MD5
         1. User/tool verifies the validity of the 
            https:/repo.apache.org certificate.
   4. User/tool compares downloaded MD5 to generated md5 or downloaded
      artifact.
         1. If no match then delete downloaded file and report error.


Have I over looked anything ?

R,
Nick