Certificates & Checksums: md5, sha, pgp and wget --no-check-certificate
I would like pkg to be able to do certificate checking (both https, and pgp). I would also like the ability to use checksums both from the repo database and also from the metadata within the package.
Perhaps, there could be environmental variables to determine what type of checking that we do. The easiest would be with regards to wget. I notice in the code the --no-check-certificate flag is used. The tor repo uses https, so there would be value in checking the certificate. We can add an environmental variable that determines whether or not wget checks the https certificate.
Many Debian repos also have their content signed with a pgp signature. Even just checking the signature of the package database file would be of great value, then the checksums within the repo database could be used to check the validity of individual packages. For example the strech release of the tor repo has the signature located in the following folder:
https://deb.torproject.org/torproject.org/dists/stretch/
Finally, it would be possible to check the validity of a package using pgp signatures if the checksums within the package were signed by a valid pgp signature.
Anyway, I think that the easiest thing to implement here is an environmental variable to determine whether or not the "--no-check-certificate flag" is used. The other stuff can be implemented later.
Once more of these things are implemented we could have different security modes. For example perhaps one only needs either a valid https certificate or a valid pgp signature but not necessarily both. This all depends on how cautious one wants to be though.