Security Concern: Unsigned Windows Executable
John Clizbe
John at Mozilla-Enigmail.org
Fri Jun 12 23:32:37 CEST 2009
Doug Bateman wrote:
> Here's an interesting question.... why does GnuPG.org bother providing a
> GPG signature with it's downloaded files?
To check the integrity and authenticity of the downloaded file? Not
everyone is bootstrapping GnuPG onto a new machine or even using Windows.
> So this raises the question... If we bother GPG signing our
> distributions, why not also Authenticode sign the .exe's so that users
> who don't already have GPG installed can verify the download? Is it
> about cost (~$200/3 years)? Is it about principle? Is it about the
> effort to add the authenticode signature to the Win32 build script?
A one-year Comodo software signing cert costs $179. But I don't think
cost is the block.
Maybe it has something to do with requiring use of a proprietary
Microsoft SDK?
Just a guess as no proprietary software is used in the generation of the
Windows installer.
--
John P. Clizbe Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or
mailto:pgp-public-keys at gingerbear.net?subject=HELP
Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 679 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090612/ce850153/attachment.pgp>
More information about the Gnupg-users
mailing list