[Announce] GnuPG 2.1.1 released

Werner Koch wk at gnupg.org
Sat Dec 20 12:21:08 CET 2014


On Fri, 19 Dec 2014 18:22, rjh at sixdemonbag.org said:

> While we're on the subject -- it might be nice for GnuPG to be able to
> issue proper Authenticode-signed Windows binaries.  Code signing
> certificates are fairly affordable although the paperwork is a headache.

Actually we (Intevation in his case) do this for Gpg4win.  People seem
to like this although I do not see a real security benefit in it.  If
you look at the download stats for December

 | Version    | tar/exe |  sig | %  |
 |------------+---------+------+----|
 | 2.1.0/tar  |     837 |  419 | 50 |
 | 2.0.26/tar |    4770 | 1635 | 34 |
 | 1.4.18/tar |    1451 |  429 | 30 |
 | 1.4.18/exe |     635 |  110 | 17 |

(which also include automated downloads from mirrors not using rsync)

It shows that less than 20% of the Windows users check the signatures.
It might of course be their first gpg download and thus can't make use
of the signature anyway.  However, given the number of the tarball
downloads it is obvious verification of signatures is not a standard
procedure.

Thus I do not think that Authenticate would harm even given that it is
possible to buy the private key for an existing Authenticode certificate.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gnupg-users mailing list