[asterisk-dev] Authenticated downloads of external stuff?

[Alexander Traud]

> downloads.asterisk.org is an https site, so certificate auth and all
> that should be verifiable.

Currently, Asterisk retrieves its external stuff not via HTTPs but HTTP.

One approach would be to change all links to HTTPs within the Asterisk
source. However, that is problematic for example in FreeBSD which comes
without trust anchors. Furthermore, that approach does not use
certificate pinning. Therefore, one alternative is to move the hashes
into the Asterisk tarball. This gives at least the same security as
certificate pining but does not increase the burden in the local
configuration.

Actually, this gives bullet proof downloads. The user only has to
double-check the signature of the initial download, the download of the
Asterisk tarball. Everything else chains up to that. The code is quite
the same, just the location of the hashes move.