=== Task ===
Check integrity and authenticity of the downloaded source archive.
=== Description ===
You could create a hash (e.g. sha256) of the archive and place it in a file available for download with the archive.
Then this file containing a hash has to be signed with a trusted GPG key (for example, anything PKI is good), making the public key widely available.
That way one could verify the integrity of the file and authenticity of the file.
- is related to
-
SERVER-4808 Provide repo downloads of older versions of packages
- Closed
- related to
-
SERVER-8770 Sign RPM packages available via the 10gen yum repository
- Closed
- links to