Security Concern: Unsigned Windows Executable

John Clizbe John at
Fri Jun 12 23:32:37 CEST 2009

Doug Bateman wrote:
> Here's an interesting question.... why does bother providing a
> GPG signature with it's downloaded files?

To check the integrity and authenticity of the downloaded file? Not
everyone is bootstrapping GnuPG onto a new machine or even using Windows.

> So this raises the question... If we bother GPG signing our
> distributions, why not also Authenticode sign the .exe's so that users
> who don't already have GPG installed can verify the download?  Is it
> about cost (~$200/3 years)?  Is it about principle?  Is it about the
> effort to add the authenticode signature to the Win32 build script?

A one-year Comodo software signing cert costs $179. But I don't think
cost is the block.

Maybe it has something to do with requiring use of a proprietary
Microsoft SDK?

Just a guess as no proprietary software is used in the generation of the
Windows installer.

John P. Clizbe                      Inet:John (a)
You can't spell fiasco without SCO. hkp://  or
     mailto:pgp-public-keys at

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 679 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090612/ce850153/attachment.pgp>

More information about the Gnupg-users mailing list