Answer: Are SHA1 sums on gnupg.org checked regularly?

[Jan]

Thanks for the answers.

> If an attacker would modify the archive on
> the gnupg.org server, he would also need to change
> the independent archives like gmane etc.  I pretty sure
> this will be spotted relatively soon.

I did a google search for the subject of your email, in which you announced 
the new version, i.e. for "[Announce] GnuPg 2.0.20 released" (without 
quotation marks)  and got 4 results:

http://lists.gnupg.org/pipermail/gnupg-announce/2013q2/000328.html
http://lists.gnu.org/archive/html/info-gnu/2013-05/msg00004.html
http://comments.gmane.org/gmane.comp.encryption.gpg.devel/17871
http://browse.feedreader.com/c/GnuPG_org/420068682

I agree with you, that its unlikely an attacker tampers them all, - still, 
its just 4 webpages...

I think next to the download link of a gnupg version on gnupg.org you should 
also note the subject of the email, in which this version was announced, so 
people can search for it more easily. Such a notice could also be added to
http://www.gnupg.org/download/integrity_check.en.html .
What do you think?


> Oh and well the attacker would also need to tell you why the
> signature of the mail does not anymore check out.
> In any case we don't rely on the checksums but on the OpenPGP signatures

I'm thinking of someone how uses windows and wants to install gnupg for the 
first time. How can he/she rely on OpenPGP? I would have to check the 
signature with the (possibly tampered) gnupg version he just downloaded. I'm 
afraid such a person needs to rely on the SHA1 sum and the only thing he can 
do is to compare his SHA1 sum with as many sources as possible. Which other 
sources are there? Does the C't publish SHA1 codes? Is it perhaps a good 
idea to first download an older version of gnupg for which more sources are 
available?

I still have to check whether there are enough sources for windows users. Do 
you know some? I will talk about the windows operating system in my gpg4win 
thread soon.

Thanks again,
Jan