Sebb created CLOUDSTACK-10280: --------------------------------- Summary: Please use HTTPS for KEYS, sigs and hashes Key: CLOUDSTACK-10280 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10280 Project: CloudStack Issue Type: Improvement Security Level: Public (Anyone can view this level - this is the default.) Reporter: Sebb
The download page is generally fine. However the links to the KEYS, sigs (PGP) and hashes use http; ideally they should use https. Also the gpg command should read: gpg --verify apache-cloudstack-X.X.X-src.tar.bz2.asc apache-cloudstack-X.X.X-src.tar.bz2 i.e. both the detached sig and the artifact itself should be specified. See: https://www.apache.org/info/verification.html#CheckingSignatures -- This message was sent by Atlassian JIRA (v7.6.3#76005)