windows binary for gnupg 1.4.11 // compilation instructions posted

Ingo Klöcker kloecker at kde.org
Tue Sep 20 22:20:31 CEST 2011 

On Friday 16 September 2011, Robert J. Hansen wrote:
> On 9/16/2011 2:49 PM, vedaal at nym.hush.com wrote:
> > Because then who is to say that it wasn't tampered with?
> 
> Who's to say the one on ftp.gnupg.org wasn't tampered with?  It would
> be fairly easy to make a version of GnuPG that always reported
> itself as having a good signature.  (See, e.g., Ken Thompson,
> _Reflections on Trusting Trust_.  David A. Wheeler had an
> interesting solution to Thompson's problem, but in the main
> Thompson's remarks are still quite applicable. [1])
> 
> And if you're downloading source code and compiling from source --
> how do you know the source wasn't tampered with?  A back door could
> be hidden inside the code, making sure that whenever you attempted
> to verify... etc., etc.

The backdoor could even be hidden in the compiler. Who says Microsoft 
can be trusted?


> > The whole point is to start with gnupg.org signed and verified
> > material, and then let the user take it from there.
> 
> You can't.  I hate to rain on the parade, but this is simply not
> achievable.  At some point you have to accept something on faith. 
> The only question is what you'll accept.
> 
> In the extreme case, let's say GnuPG hosts a Windows binary and posts
> an MD5 sum of it.  How do you know the MD5 sum that's posted is
> accurate? Werner's signature on it is meaningless: you don't have a
> trusted copy of GnuPG you can use to verify the signature.  The
> posted MD5 sum could have been tampered with and you wouldn't know. 
> Etc., etc.

Well, one could use PGP or another independent implementation of OpenPGP 
to verify the signature on GnuPG. And then one could use GnuPG to verify 
the other implementation. Of course, they could still both have been 
forged by the same entity, but that's a lot less likely.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110920/f33b0287/attachment.pgp>

More information about the Gnupg-users mailing list