Are SHA1 sums on gnupg.org checked regularly?

Werner Koch wk at gnupg.org
Fri Jul 26 01:12:21 CEST 2013


On Thu, 25 Jul 2013 21:33, takethebus at gmx.de said:

> Which mailing lists are meant? Can't emails be tempered, too? If I've

The GnuPG mailing list and all the mailing list archives.  If an
attacker would modify the archive on the gnupg.org server, he would also
need to change the independent archives like gmane etc.  I pretty sure
this will be spotted relatively soon.  Oh and well the attacker would
also need to tell you why the signature of the mail does not anymore
check out.

In any case we don't rely on the checksums but on the OpenPGP signatures
which are created by me using a smartcard hosted key.  But see also the
article I mentioned in my other reply.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list