Security Concern: Unsigned Windows Executable

Robert J. Hansen rjh at
Tue Jun 2 14:37:30 CEST 2009

John Clizbe wrote:
> Your #3 comment is confusing. There is no .SIG to download if verifying
> with sha1sum. You run sha1sum against the file you wish to verify and
> compare the program output with the published value.
> Are you proposing some MITM attack of a replaced installer executable
> with an /identical/ SHA-1 value?

Alternately, he could be implying an active MitM attack, where the
attacker is intercepting both the downloaded hash value (replacing it
with the trojaned version's hash value) and the application itself
(replacing it with a trojaned version).

That said, if you're presently being targeted by people who are capable
of intercepting and modifying your network traffic in realtime, neither
GnuPG nor Authenticode signatures can help you.  You need professional
help: lawyers and security geeks will help you an awful lot more than
HTTPS or Authenticode.

> sha1sum and md5sum are widely available as source.  If you're so
> committed to this verified and signed thing that you're unwilling to
> trust anything, you probably should look into building some things of
> your own.

Insert mandatory "reflections on trusting trust" reference here.

The sentiment of "I must build it from source if I'm going to trust it"
is great, but then you have to ask questions about your compiler, your
system libraries, etc., until you're left hand-hacking Assembly
instructions for a low transistor count CPU you've personally
lithographed yourself from your own personal design.

More information about the Gnupg-users mailing list