Consider providing an asc file for gpg checking for rustup-init

[jonathanKingston]

Currently all the security checks provided in rustup-init have little gain to new users downloading a file that may have gone rogue etc. This is considered TOFU (Trust On First Use) security.

For a more security aware user, it would be nice to permit them to use rustup still however providing them with the ability to check the asc of the download before running it.

There isn't a .asc described here https://internals.rust-lang.org/t/future-updates-to-the-rustup-distribution-format/4196 for this file either.

Related to #242 (this would still be considered TOFU security).
Basically my goal is to have a reproducible Docker file with verifiable security (I have this here: https://hub.docker.com/r/kingstontime/docker-rust/~/dockerfile/ but without rustup and currently without Cargo)

Perhaps a lightweight bashfile like the dockerfile that can easily be verified would be an option?

[steveklabnik]

https://static.rust-lang.org/dist/index.html has .asc files already.

[jonathanKingston]

@steveklabnik this request is for the rustup-init file, I can't see it there. Could it be added to the same process?

[k3d3]

Hello,

Has this been looked into?