Does rust's cargo
package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with steps asking the user to install rust dependencies with cargo install ...
. I usually don't do this as I trust my OS package manager (ie apt
) to actually validate the origin/trust and integrity of the package before installing it.
Does cargo
provide cryptographic authentication and integrity checks for all items downloaded before installing them by default?
Note: Transport validation via X.509 does not count as a valid auth/integrity check.