Daniel Carrera wrote:
4) Lastly, while we are at it, why don't we add a signature file to the
_par directory?
_par/
META.info
CHECKSUMS.asc
The CHECKSUMS.asc file would contain the SHA1 sums of every file in the
archive except for itself. The file could be GPG-signed with --armor
(.asc extension).
To expand on this idea: The current JIB spec includes an Author field in
META.info. The spec says:
- Author CPAN author id
This is perfect. We can offer that people create a CPAN id before
distributing apps in PAR format, and upload their GPG public key. Then,
when the user installs the app, the installer downloads the public key
from CPAN and checks the signature.
Of course, we can't mandate that people register with CPAN. This is just
a service. So there should be an option to check a signature using a
public key you got from elsewhere, or to disable the signature check
entirely.
Daniel.
