Proposal: cabal-install: verify OpenPGP signatures

Nikita Karetnikov nikita at
Tue May 6 11:00:32 UTC 2014

Thanks for such a detailed reply, Duncan.

> I think optional GPG signatures is a good idea, and I think in principle
> we would accept the patch. However it does have to be opt-in only: both
> opt-in for authors signing, and opt-in for clients checking.


> However, as I've said, these two security measures are complementary, we
> can have both. I can imagine a situation in which all packages are
> signed by the server, but some important ones are also signed by the
> authors, giving us a higher level of assurance of authenticity and
> integrity for those packages.


> So yes, you're welcome to help with either GPG signing or this
> alternative scheme, whichever you'd prefer to hack on.

I intend to hack on the former.  I’ll be sending progress reports,
questions, and so forth to this list, so stay tuned.  If anyone wants to
collaborate, don’t hesitate to contact me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <>

More information about the cabal-devel mailing list