Bug 61397

Summary: Built-in signature verification support
Product: [Applications] kget Reporter: Paul Eggleton <bluelightning>
Component: generalAssignee: KGet authors <kget>
Status: RESOLVED FIXED    
Severity: wishlist CC: anthonybryan, mat69, piccilli
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: Version Fixed In:

Description Paul Eggleton 2003-07-18 16:14:37 UTC 
Version:            (using KDE KDE 3.1.2)
Installed from:    Gentoo Packages
OS:          Linux

It would be useful if KGet had an optional feature to check for and verify downloads against PGP signatures or md5sums if they are available at the same location as the downloaded file. (Perhaps this would need to be enabled on a per-site basis, or per-filetype, to avoid too many unnecessary requests?)
Comment 1 Ant Bryan 2006-10-10 19:06:06 UTC 
*** This bug has been confirmed by popular vote. ***
Comment 2 Ant Bryan 2006-10-10 19:08:18 UTC 
Once metalink (http://bugs.kde.org/show_bug.cgi?id=124010) is supported, KGet can use the checksums/hashes and PGP signatures included there.

    <verification>
      <hash type="md5">example-md5-hash</hash>
      <hash type="sha1">example-sha1-hash</hash>
      <hash type="pgp"/>
    </verification>
Comment 3 Urs Wolfer 2008-01-26 19:36:40 UTC 
*** Bug 150447 has been marked as a duplicate of this bug. ***
Comment 4 Ant Bryan 2008-10-31 04:57:51 UTC 
http://mirrorbrain.org/news_items/metalinks_now_with_PGP_signatures

Metalinks from openSUSE now contain PGP signatures, along with full file and partial file checksums.

It would be great if KGet verified checksums, and automated integrated signature verification w/ Kgpg somehow.
Comment 5 Matthias Fuchs 2009-11-10 00:23:33 UTC 
Added signature-verifying support to trunk (I added checksum-verifying support a few months ago).