Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-10280

Please use HTTPS for KEYS, sigs and hashes

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • None
    • None
    • None
    • Security Level: Public (Anyone can view this level - this is the default.)
    • None

    Description

      The download page is generally fine.

      However the links to the KEYS, sigs (PGP) and hashes use http; ideally they should use https.

      Also the gpg command should read:

      gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc apache-cloudstack-X.X.X-src.tar.bz2

      i.e. both the detached sig and the artifact itself should be specified.
      See: https://www.apache.org/info/verification.html#CheckingSignatures

      Attachments

        Activity

          People

            Unassigned Unassigned
            sebb Sebb
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: