Answer: Are SHA1 sums on gnupg.org checked regularly?
takethebus at gmx.de
Fri Jul 26 17:31:01 CEST 2013
Thanks for the answers.
> If an attacker would modify the archive on
> the gnupg.org server, he would also need to change
> the independent archives like gmane etc. I pretty sure
> this will be spotted relatively soon.
I did a google search for the subject of your email, in which you announced
the new version, i.e. for "[Announce] GnuPg 2.0.20 released" (without
quotation marks) and got 4 results:
I agree with you, that its unlikely an attacker tampers them all, - still,
its just 4 webpages...
I think next to the download link of a gnupg version on gnupg.org you should
also note the subject of the email, in which this version was announced, so
people can search for it more easily. Such a notice could also be added to
What do you think?
> Oh and well the attacker would also need to tell you why the
> signature of the mail does not anymore check out.
> In any case we don't rely on the checksums but on the OpenPGP signatures
I'm thinking of someone how uses windows and wants to install gnupg for the
first time. How can he/she rely on OpenPGP? I would have to check the
signature with the (possibly tampered) gnupg version he just downloaded. I'm
afraid such a person needs to rely on the SHA1 sum and the only thing he can
do is to compare his SHA1 sum with as many sources as possible. Which other
sources are there? Does the C't publish SHA1 codes? Is it perhaps a good
idea to first download an older version of gnupg for which more sources are
I still have to check whether there are enough sources for windows users. Do
you know some? I will talk about the windows operating system in my gpg4win
More information about the Gnupg-users