DMD downloads over HTTPS

Vladimir Panteleev thecybershadow.lists at
Thu Sep 26 21:26:38 UTC 2019

On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 wrote:
> hi, at the setup-dlang repository (GitHub Action for installing 
> D in their CI environment) we are having a discussion about 
> downloading DMD over HTTP could lead to MITM attacks. However 
> doesn't seem to have HTTPS available at all.

IIRC, the last time we looked into this, which admittedly was 
many years ago, was that SSL was an additional paid feature for 
the Amazon service we use to serve the downloads.

> Is there some possibility to add HTTPS support to 
> to make sure the downloads function 
> properly? GnuPG isn't listed on the installed binaries in a 
> GitHub Actions environment so it can't be called to check using 
> the provided keyring (which would need to be updated every once 
> in a while too)

The keyring is available over HTTPS, so the procedure we 
currently recommend is to download that and use it to verify the 
downloads. This is what e.g. the script does.

BTW, GnuPG is a dependency for many other software (e.g. 
attempting to remove it on Arch Linux pulls a long string of 
dependencies making this impossible). It's possible that there is 
an implied guarantee that GnuPG will be present on the CI systems 
even though it is not explicitly listed.

More information about the Digitalmars-d mailing list