Maybe we should just recommend that software is distributed as a (not detached) singed file. So:
curl http://yolo.example.com/lulz.gpg| gpg -d - | sh
(Which of course doesn't work either, as one could replace lulz.gpg with "#/usr/bin/env sh;rm -rf /" signed by some key one trusts... which isn't so far fetched assuming some trusted entity publishes a utility for wiping a system automatically (think: shred /dev/sd*))...
Still, gpg -d, seems preferable to detached signatures (not to mention detached hashes) for this type of thing? The files can't be used without verifying, or running through gpg [ed: or other manual intervention, for shooting oneself in the foot] -- and there is a single, sane way to do that.
Still, gpg -d, seems preferable to detached signatures (not to mention detached hashes) for this type of thing? The files can't be used without verifying, or running through gpg [ed: or other manual intervention, for shooting oneself in the foot] -- and there is a single, sane way to do that.