Trust of GPG4Win - Part 1

Werner Koch wk at
Sun Jul 28 10:27:57 CEST 2013

On Sat, 27 Jul 2013 07:22, hhhobbit at said:


Thanks for the pointer.  Actually, I was not aware of this article
before I red the Yarom/Falkner paper.  I would have appreciated if Zhang
et al. had notified me of the problem, so that we could have fixed it
already last year.

> For a second corroborating source of the SHA1 hashes and file
> sizes look here for the current and potential new ones:

A note about the Intevation distribution key: For quite some time I
signed the installer files using my usual dist key.  In fact I built the
installer on my machines.  Then some people demanded that the installer
should be code signed so that Windows does not anymore print a warning
about an unknown vendor.  Intevation found that argument convincing and
purchased a signing key.  Thus they now do the release and the signing.
That is easier and not less secure than if I would build it, send it to
them for code signing, receiving it back and OpenPGP sign the exe files.

BYW, only about 10% of the Gpg4win downloaders also download the .sig



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list