The web server checks each request for any file from a restricted access repository as follows:
The VERSION and
pgpkeys.txt files are available just for asking.
The contents of the TIMESTAMP file are constructed on
the fly, each time it gets requested.
In the future, the TIMESTAMP file might contain other
things beside just the server's clock.
When parsing this file's contents, be prepared to see, and ignore, other
things besides “TIME=N”.
Requests for any other file that do not include the extra authentication parameters are rejected.
The server compares the epoch timestamp in the request against its internal clock. The server rejects any requests with an epoch timestamp that's nowhere near what its internal clock says it should be. A variance of sixty seconds, plus or minus, is recommended. In practice the variance should not be more than 2-3 seconds, the extra padding provides for marginal situations when the server is overloaded with requests.
The server finds the authorization key that has ID
as its first part, and takes the second part of the authorization key.
The server combines the second part
with the timestamp from the request, and the relative path to the requested
file in the primary repository.
Finally, the server computes the SHA1
hash, converts it to hexadecimal, and prepends the fixed
“sha1-” prefix.
The request is rejected unless the result matches the
“hash” portion of the access request.