md5sum verification of gpg

zentara zentara@gnat.net
Tue, 26 Oct 1999 18:22:46 -0400


Werner Koch wrote:

>
> Alpha Tester <r3flex@yahoo.com> writes:
>
> > I've searched through gnupg's site, and I still
> > haven't found the official checksum that corresponds
> > to the gpg-1.0.0 version that I downloaded, and I
>
> $ md5sum gnupg-1.0.0.tar.gz
> bba45febd501acf8e19db402506dae94 gnupg-1.0.0.tar.gz
>
> But wait a few days, so others can verify the sum and complain if
> there is a problem with this message.
>
> I don't sign it, because it does not help you and the Web Archiver
> for the ML cannot handle MIME signed mails properly.
>
> Werner
>
> --
> Werner Koch at guug.de www.gnupg.org keyid 621CC013
Hello, I am extrememly grateful for you to provide gpg. It runs well and fixes a whole bunch of problems that we had with pgp. Now comes the question ot trust. I compiled my own, but didn't check the source code. ( What good would it do me?; I'm not advanced enough at C to recognize a backdoor if I saw it. :-) ). So I needed the md5sum check to validate my version and I see 2 trust problems. I am sure there are more, but I am ignorant of them. I was thinking about this all day. The first is: Are there any rumors of backdoors in gpg? I mean the md5sum is correct, but what is the integrity of gnupg.org? Is there an code oversight committee to check releases for backdoors? I hope that GnuPG isn't financed by Interpol.;-) Not that governmental security agencies are not good institutions, but I don't want them controlling encryption code. They can spy in other ways to get info on you. Of course I am not even suggesting this is true. It is a trust issue, and I am wise about the Machiavellian world. The second is: How do I know that the email is not being spoon-fed to me? I mean Werner could have posted email with the correct md5sum of his copy, and someone on my server, (or along the route), could edit his email to match the md5sum of the bogus copy that they switched on me when I downloaded. Thereby I would be fooled into thinking that I had confirmation from Werner about the validity of the download. I find it worrisome that Werner didn't sign the md5sum file. Signing was the first thing explained in the Readme. Would you be kind enough to sign the md5sum file with ascii armor and put it on the mail list? I mean it is ascii armored so we could receive it thru email. It would only be a few k. I don't understand why your mailer can't handle ascii armored files? Also, why wouldn't it help us, it would say that it came from your machine. At least that is what the docs say. At the very least it will be good practice for all us newbies, and makes us think about it all more deeply. Am I being overly paranoid here? I mean there are alot of agents with computers out there and alot of money goes into surveillance. Why not keep REAL crypto from the average citizen? And......how do we know that the people who run the newtworks are not playing games with us? zentara ....crypto newbie