Signature Checking - When to Enable?
This is another concept that we need to discuss and implement. When exactly should signature checks be enabled?
--verify-sig is enabled AND the downloaded file has a Content-Type that matches "application/*" we check for a signature file. However, there would be multiple cases where the Content-Type is NOT
application/*, but rather say
text/plain or even
text/html. Wget2 should verify the signatures in these cases as well.
Of course, we can't always enable it, since it would cause a very large amount of wasted network bandwidth, but we do need to find the correct middle ground.
One suggestion: Assuming,
--verify-sig, if Wget2 is invoked without recursion, then check for a signature for all non
text/html files. And a new switch
--force-verify which will send a signature request with every request, irrespective of the Content-Type