Trust of GPG4Win - Part 1
Werner Koch
wk at gnupg.org
Sun Jul 28 10:27:57 CEST 2013
On Sat, 27 Jul 2013 07:22, hhhobbit at securemecca.net said:
> https://dl.acm.org/citation.cfm?id=2382230
Thanks for the pointer. Actually, I was not aware of this article
before I red the Yarom/Falkner paper. I would have appreciated if Zhang
et al. had notified me of the problem, so that we could have fixed it
already last year.
> For a second corroborating source of the SHA1 hashes and file
> sizes look here for the current and potential new ones:
A note about the Intevation distribution key: For quite some time I
signed the installer files using my usual dist key. In fact I built the
installer on my machines. Then some people demanded that the installer
should be code signed so that Windows does not anymore print a warning
about an unknown vendor. Intevation found that argument convincing and
purchased a signing key. Thus they now do the release and the signing.
That is easier and not less secure than if I would build it, send it to
them for code signing, receiving it back and OpenPGP sign the exe files.
BYW, only about 10% of the Gpg4win downloaders also download the .sig
file.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list