Verified integrity plugin PoC
Implementing a proof-of-concept plugin which, after a public key is configured, for each request for /some/file.ext
:
- fetches the requested resource
- fetches a separate JSON file, by default:
/some/file.ext.integrity
;
that file contains the integrity data, that is signed with the private key corresponding to the configured public key - verifies the signature of the integrity data in the integrity file
- uses the integrity data to verify the fetched requested resource (perhaps using the
integrity-check
plugin, instead of re-implementing this) - if integrity data matches, returns the
Response
; otherwise errors out.
Related to #1 (closed).