Uploaded image for project: 'Qt Installer Framework'
  1. Qt Installer Framework
  2. QTIFW-766

Allow signing/verification of metadata (package.xml)

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: P2: Important P2: Important
    • Some future release
    • None
    • General
    • None

      Right now an online installer relies solely on transport level security (SSL) to verify the integrity of downloads. The data is also protected with a SHA1 checksum, but that is not true for the metadata.

      Instead we should sign the metadata with a certificate that the client installer can then verify.

      There's an attempt to add API to QtNetwork to allow this easily:

      https://codereview.qt-project.org/#/c/113855/

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            installerteam Installer Team
            kkohne Kai Köhne
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:

                There are no open Gerrit changes