I just wanted to walk through the steps need to trust a md5 signature, using mirrors.
Given a unified directory/ repository structure between mirrors and the official source.
Here is what I think the steps are

1. User/tools visits the official repository for a resource, and gets
a list of mirrors.
2. User/tool browses and finds desired download from a mirror. http://mirror.org/group/project/artifact.zip
3. User/tool downloads matching MD5 from https of official site. say https:/repo.apache.org/group/project/artifact.zip.MD5
1. User/tool verifies the validity of the https:/repo.apache.org certificate.
4. User/tool compares downloaded MD5 to generated md5 or downloaded
1. If no match then delete downloaded file and report error.

Have I over looked anything ?


Reply via email to