[Announce] GnuPG 2.1.1 released
Andre Heinecke
aheinecke at intevation.de
Sat Dec 20 22:13:17 CET 2014
Hi,
On Saturday 20 December 2014 12:21:08 Werner Koch wrote:
> Thus I do not think that Authenticate would harm even given that it is
> possible to buy the private key for an existing Authenticode certificate.
I actually love authenticode. It means that you can do some steps to get to
the "Operating System" level of trust. Sure you can buy your way into this
but that is the Operating System level of trust that is asserted through
HTTPS connections / Windows Update and so on. It is weak, i grant you that,
but it is at least _some_ automatic authentication of binaries.
I'm playing a game on a Windows Machine currently (Archeage) that requires
administrative access for each launch!,.. and they did not even care to sign
their binary. This is just security sadism. (I keep my GNU/Linux partitions
on which i do any work or store secrets encrypted)
In a different project at intevation we signed all binaries in our installer
keeping packaging and building on different systems. As we won't expose our
private keys to propietary systems that meant running wine to create the nsis
uninstaller,
Maybe this is also something for the future of gpg4win. (Btw. We use
osslsigncode which is a really great tool that allows you to create
authenticode PKCS#7 signatures under GNU/Linux.)
With regards to the original question. I'd be happy to sign your experimental
gnupg only installers with our code signing certificate (and be quick about
it) after verifying your signature. Intevation trusts g10code (we heavilly
use gnupg internally where the source is verified by Werner)
Regards,
Andre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141220/862fdee0/attachment.sig>
More information about the Gnupg-users
mailing list