Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
None
-
None
-
None
-
Security Level: Public (Anyone can view this level - this is the default.)
-
None
Description
The download page is generally fine.
However the links to the KEYS, sigs (PGP) and hashes use http; ideally they should use https.
Also the gpg command should read:
gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc apache-cloudstack-X.X.X-src.tar.bz2
i.e. both the detached sig and the artifact itself should be specified.
See: https://www.apache.org/info/verification.html#CheckingSignatures