GPG Signature verification for .json and .js files -------------------------------------------------- Key: JBDS-4330 URL: https://issues.jboss.org/browse/JBDS-4330 Project: Red Hat JBoss Developer Studio (devstudio) Issue Type: Bug Components: platform-installer Affects Versions: 11.0.0.AM1 Reporter: Denis Golovin Assignee: Denis Golovin Fix For: 11.0.0.AM1 To allow loading remote configuration or even java script modules there should be a way to confirm origin of downloaded file to prevent 'man in the middle attacks'. Files loaded from remote location should bear GPG signature that installer should verify before proceeding with loaded file. This should be possible with https://github.com/openpgpjs/openpgpjs using https://openpgpjs.org/openpgpjs/doc/index.html using 'Create and verify detached signatures'. The Idea is to sign .json of .js file with GPG and then download it ad separate json/js code from the signature, verify it and then proceed with loading .json or js module form string.