On 23/10/17 19:14, Oskar Lundström wrote: > Is there a way to download the source code of dnsmasq over HTTPS? > Alternatively, a hash fingerprint of the source code, which is supplied over > a secure connection (like HTTPS). All the tarballs are signed with my public key, fingerprint E19135A2, which can be obtained in a trusted manner from, amongst other places, the Debian keyserver. gpg --keyserver keyring.debian.org --recv-keys E19135A2 Download the tarball from the server and the signature file, ie, dnsmasq-2.78.tar.gz.asc and dnsmasq-2.78.tar.gz and verify that the signature matches: srk@holly:~$ gpg --verify dnsmasq-2.78.tar.gz.asc dnsmasq-2.78.tar.gz gpg: Signature made Mon 02 Oct 2017 14:39:56 BST using RSA key ID E19135A2 gpg: Good signature from "Simon Kelley <si...@thekelleys.org.uk>" gpg: aka "Simon Kelley <s...@debian.org>" Which tells you that the tarball/signature pair could only have been created by someone in possession of the private key matching the public key you downloaded in the first step. Neither can be altered without breaking the verification. Therefore, as long as you trust the Debian keyserver to give you the correct public key, the source code cannot have been altered. Test and release-candidates are signed with a different key. (they are signed automatically, so the private key has to exist on the server without a protecting passphrase, which exposes it to sever security: I don't want to do that to my main key.) That key is downloadable from the website, and it has fingerprint 7F7EF234 I'll sign this message with my main public key, so you can trust the fingerprint above, and be sure you got an untampered copy of that key. That provides rather more certainty than a dodgy certificate on an https website. Cheers, Simon.
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasqemail@example.com http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss