No announcement for GnuPG 2.4.8?
Andrew Norton
andrew at apnorton.com
Mon Aug 11 20:10:48 CEST 2025
Hi all,
I was setting up a new computer (so I have no *existing* trusted gpg
installation to verify a signature), and I was attempting to follow the
instructions to perform an integrity check on the 2.4.8 tarbar on gnupg.org
<https://www.gnupg.org/download/>. The instructions state:
> If you are not able to use an old version of GnuPG, you can still verify
> the file's SHA-1 checksum. This is less secure, because if someone modified
> the files as they were transferred to you, it would not be much more effort
> to modify the checksums that you see on this webpage. As such, if you use
> this method, you should compare the checksums with those in release
> announcement. This is sent to the gnupg-announce mailing list (among
> others), which is widely mirrored. Don't use the mailing list archive on
> this website, but find the announcement on several other websites and make
> sure the checksum is consistent. This makes it more difficult for an
> attacker to trick you into installing a modified version of the software.
However, I cannot locate any release announcement for 2.4.8
<https://dev.gnupg.org/source/gnupg/browse/master/NEWS>; the NEWS file just
goes straight from 2.4.6 to 2.5.0. All I can find online anywhere is a
Reddit thread
<https://www.reddit.com/r/GnuPG/comments/1lyd3ot/no_announcement_for_gnupg_248/>
of someone asking why there was no release announcement and not getting an
answer.
Is there another source I can reference for the checksum? As it stands, it
looks like I might have to install an older version for which I can find a
release announcement, then use the older version to validate the signature
on the newer release.
Thanks,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250811/3537b38c/attachment.html>
More information about the Gnupg-users
mailing list