[Announce] GnuPG 2.1.1 released

Andre Heinecke aheinecke at intevation.de
Sat Dec 20 22:13:17 CET 2014


On Saturday 20 December 2014 12:21:08 Werner Koch wrote:
> Thus I do not think that Authenticate would harm even given that it is
> possible to buy the private key for an existing Authenticode certificate.

I actually love authenticode. It means that you can do some steps to get to 
the "Operating System" level of trust. Sure you can buy your way into this 
but that is the Operating System level of trust that is asserted through 
HTTPS connections / Windows Update and so on. It is weak, i grant you that, 
but it is at least _some_ automatic authentication of binaries. 
I'm playing a game on a Windows Machine currently (Archeage) that requires 
administrative access for each launch!,.. and they did not even care to sign 
their binary. This is just security sadism. (I keep my GNU/Linux partitions 
on which i do any work or store secrets encrypted)

In a different project at intevation we signed all binaries in our installer 
keeping packaging and building on different systems. As we won't expose our 
private keys to propietary systems that meant running wine to create the nsis 

Maybe this is also something for the future of gpg4win. (Btw. We use 
osslsigncode which is a really great tool that allows you to create 
authenticode PKCS#7 signatures under GNU/Linux.)

With regards to the original question. I'd be happy to sign your experimental 
gnupg only installers with our code signing certificate (and be quick about 
it) after verifying your signature. Intevation trusts g10code (we heavilly 
use gnupg internally where the source is verified by Werner)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141220/862fdee0/attachment.sig>

More information about the Gnupg-users mailing list