Security Concern: Unsigned Windows Executable

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jun 2 19:16:10 CEST 2009


On 06/02/2009 08:55 AM, Jean-David Beyer wrote:
> obert J. Hansen wrote:
> 
> | you're left hand-hacking Assembly
> | instructions for a low transistor count CPU you've personally
> | lithographed yourself from your own personal design. 
> 
> We get into the very problem Rene Descartes was stuck in until he came up
> with "Cogito, ergo sum." Which I do not think was a solution at all.

guys, with all due respect, the original poster was not asking for a
philosophical digression.  he was asking how he could practically
identify the provenance of the copy of gpg he was hoping to use.  It's
neat to point out how each layer of trust rests on another one, but we
should be giving practical advice which helps the OP push the leaps of
faith necessary to run gpg back by a few levels.

John Clizbe has offered one practical choice (see if PGP Corp. offers a
demo version with a signed executable).  Another choice would be to use
a local, trusted GNU/Linux or *BSD installation to verify Werner's
signature on the package (e.g. put it on a USB stick) and then transfer
the package back to the windows machine for installation.

A third way (if you don't currently have a local trusted free OS
installation) would be to reboot the machine with a liveCD (if you can
find a satisfactory trust path to a LiveCD) or with something like wubi
[0] which itself might offer a signed windows installer (i haven't
checked).  You can use wubi or the liveCD to verify Werner's signature
on the packages, and then transfer them back to the windows machine to
install.

hth,

	--dkg

[0] http://wubi-installer.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090602/95a7229c/attachment.pgp>


More information about the Gnupg-users mailing list