Integrity protection for downloaded RPMs

[takimata]

When installing from chum, it downloads the packages via http and does not check any GPG signatures (because there are none).
This means that, right now, any one who can hijack an HTTP connection can make you install & execute arbitrary code (which we don't want, duh).

I see some possible (quick) fixes:

• enable HTTPS on repo.merproject.org
  Apparently this is what Jolla does right now for their own repos. No GPG signatures as well but at least some transport protection.
  On repo.merproject.org, TLS support appears to be available but the configuration seems to be broken...
• GPG sign all packages in sailfishos:chum
• figure out a way to use OpenBSD's signify with RPMs

What are the plans on this?
The first option might be the most preferable right now, but the latter could be the best in the long term.

[rinigus]

https is now available, we will have to enable it by default in chum meta-package

[rinigus]

Just released repositories definitions (package sailfishos-chum) which switches to https. In few minutes, running update

zypper ref
zypper up

should result in update of that package and Chum repositories should switch to https.

As for signing, not yet there and I don't think anyone is working on it now.

[poetaster]

If I'm not mistaken, only Jolla can help here since they need to have a publicly visible security_obs@jolla.com address and public key AND set up the rpm signing. There isn't really anything we can do, is there?