> > What does this offer in practice, assuming any catalogue is downloaded from > a trusted location over https, above validating the file against the file > hash in the catalogue? >
Not all that much, given that if you can compromise the download, you can also compromise the hash. Mostly just that the bits you downloaded were saved correctly by your local machine. Signing really becomes useful when you are downloading from mirror B and want to verify the bits from trusted origin A. But in this case, that isn't really useful - if you can fake the bits, and the bits are the only source of information about where the "trusted" origin of the bits is, then of course that can be faked too. Which is the problem certificate authorities exist to solve. I'm not sure treating Maven Central as a de-facto one is a fabulous idea though - and certainly fails the test for non-open-source modules. -Tim
