Security Concern: Unsigned Windows Executable

Doug Bateman doug at dougbateman.net
Mon Jun 1 00:29:28 CEST 2009


Dear GnuPG Team,

I challenged myself to verify all software that I download on my new machine
is verified and signed.  Sadly, Win-GnuPG let me down.  Heres why.

Most software was distributed as a signed .exe file (using the Windows
signed .EXE format).  Some was not signed, but available via an https
connection, allowing me to verify the originating source.  And some, such as
Gygwin, WinGnuPG, and sha1sum, required I already have GnuPG or sha1sum
already installed to verify the .sig.  Of course, this creates a
bootstrapping problem for several reasons: 1) These .exe's aren't signed
windows .exe's, 2) They aren't available via https (and thus can't ensure
there isnt' a man-in-the middle), and 3) Even if I had sha1sum, I'd have to
use http and not https to download the .sig file, allowing for the
man-in-the-middle to deliver a checksum matching his hacked version.

Using GnuPG to verify downloads does nothing, if I can't verify that GnuPG
itself isn't valid.

Now yes, you'll say "You're running Windows XP, that's your problem".  Yes,
yes, this is true.  However, it still leaves the issue... why isn't an HTTPS
download or a Signed Windows .EXE available, so that users can have
confidence in what is downloaded from the GnuPG project?

Regards,
Doug Bateman

P.S.  Please CC: me on the reply if possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20090531/cf96fdd4/attachment-0001.htm>


More information about the Gnupg-users mailing list