Description
I confirm this feature has not been previously requested
- I have searched the issues and this feature has not previously been requested
Describe the solution you'd like
Quickget should be able to verify files with PGP keys, or other more secure methods, whenever such is available. This would improve security. Quickget_configs must provide these keys, within the WebSource struct. In addition, the json files distributed through CI should also be signed, to ensure that there's virtually no chance of tampering
Describe alternatives you've considered
There are no alternatives. The current method of using checksums fetched from the same mirror (which, to be clear, should still be done in addition) is not anywhere near as secure as PGP keys. It more or less serves to verify that the file you downloaded matches the file on the server, rather than what the source of the file is.
Additional context
PGP keys must be added as constant values, and never fetched from the internet in CI or at any point. That would defeat the entire purpose. Obviously, care must be taken to ensure that the keys are correct for the maintainers of each project.