Why trust gpg4win?

Anthony Papillion anthony at cajuntechie.org
Fri Jul 26 23:53:27 CEST 2013

On Jul 26, 2013, at 4:02 PM, "Jan" <takethebus at gmx.de> wrote:

> Still I wonder whether there are many sources for SHA1 sums of  
> gpg4win, that could be used by a windows user to test the integrity  
> of his download (C't ?). Are the SHA1 sums of gpg4win presented on  
> the download site checked regularly by their authors?

If we believe Edward Snowden, the Security Services  likely aren't  
working to slip secret code into GPG anymore. Or at least it's not a  
huge effort. With the endpoints (operating systems, software, etc)  
they don't have to. There are a million different ways that a security  
service could get at your data even if your encryption software is  
absolutely perfect an unvompromised. Honestly, I'd worry much more  
about the surround environment than the gpg code itself. That's not to  
say ignore the code and it's integrity, but don't fall into the trap  
of believing that, just because the badges check out, you're  
completely safe.

Best Regards,
Anthony Papillion

More information about the Gnupg-users mailing list