Trust of GPG4Win - Part 1

Werner Koch wk at gnupg.org
Sun Jul 28 10:27:57 CEST 2013


On Sat, 27 Jul 2013 07:22, hhhobbit at securemecca.net said:

> https://dl.acm.org/citation.cfm?id=2382230

Thanks for the pointer.  Actually, I was not aware of this article
before I red the Yarom/Falkner paper.  I would have appreciated if Zhang
et al. had notified me of the problem, so that we could have fixed it
already last year.

> For a second corroborating source of the SHA1 hashes and file
> sizes look here for the current and potential new ones:

A note about the Intevation distribution key: For quite some time I
signed the installer files using my usual dist key.  In fact I built the
installer on my machines.  Then some people demanded that the installer
should be code signed so that Windows does not anymore print a warning
about an unknown vendor.  Intevation found that argument convincing and
purchased a signing key.  Thus they now do the release and the signing.
That is easier and not less secure than if I would build it, send it to
them for code signing, receiving it back and OpenPGP sign the exe files.

BYW, only about 10% of the Gpg4win downloaders also download the .sig
file.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list