md5sum verification of gpg

zentara zentara@gnat.net
Tue, 26 Oct 1999 18:22:46 -0400 

Werner Koch wrote:

> 

> Alpha Tester <r3flex@yahoo.com> writes:

> 

> > I've searched through gnupg's site, and I still

> > haven't found the official checksum that corresponds

> > to the gpg-1.0.0 version that I downloaded, and I

> 

> $ md5sum gnupg-1.0.0.tar.gz

> bba45febd501acf8e19db402506dae94  gnupg-1.0.0.tar.gz

> 

> But wait a few days, so others can verify the sum and complain if

> there is a problem with this message.

> 

> I don't sign it, because it does not help you and the Web Archiver

> for the ML cannot handle MIME signed mails properly.

> 

>   Werner

> 

> --

> Werner Koch at guug.de           www.gnupg.org           keyid 621CC013


Hello,
I am extrememly grateful for you to provide gpg.
It runs well and fixes a whole bunch of problems
that we had with pgp.

Now comes the question ot trust. I compiled my own, but didn't
check the source code. ( What good would it do me?; I'm not advanced
enough
at C to recognize a backdoor if I saw it. :-)  ).

So I needed the md5sum check to validate my version and I see
2 trust problems. I am sure there are more, but I am ignorant of them.
I was thinking about this all day.

The first is:
Are there any rumors of backdoors in gpg?
I mean the md5sum is correct, but what is the integrity
of gnupg.org?  Is there an code oversight committee to check
releases for backdoors?
I hope that GnuPG isn't financed by Interpol.;-) Not that 
governmental security agencies are not good institutions,
but I don't want them controlling encryption code. They can spy
in other ways to get info on you. Of course I am not even suggesting
this is true. It is a trust issue, and I am wise about the
Machiavellian world. 

The second is:
How do I know that the email is not being spoon-fed to me?
I mean Werner could have posted email with the correct md5sum
of his copy, and someone on my server, (or along the route), could
edit his email to match the md5sum of the bogus copy that they switched
on me
when I downloaded. Thereby I would be fooled into thinking that I had 
confirmation from Werner about the validity of the download.
I find it worrisome that Werner didn't sign the md5sum file.
Signing was the first thing explained in the Readme.
Would you be kind enough to sign the md5sum file with ascii
armor and put it on the mail list? I mean it is ascii armored
so we could receive it thru email. It would only be a few k.
I don't understand why your mailer can't handle ascii armored files?
Also, why wouldn't it help us, it would say that it came from your
machine.
At least that is what the docs say.

At the very least it will be good practice for all us newbies, and
makes us think about it all more deeply.


Am I being overly paranoid here? I mean there are alot of agents with
computers out there
and alot of money goes into surveillance. Why not keep REAL crypto from
the average citizen?
And......how do we know that the people who run the newtworks are not
playing games with us?

zentara ....crypto newbie