[Announce] GnuPG 2.1.1 released

Doug Barton dougb at dougbarton.email
Sat Dec 20 22:50:16 CET 2014

On 12/19/14 11:28 AM, Ludwig Hügelschäfer wrote:
| On 19.12.14 18:09, Doug Barton wrote:
|> Thank you for the time you've spent on this, but a minor quibble if
|> you don't mind. Could you please provide signatures for the dmg
|> files,
| Open the .dmg and you'll notice the signature of the Installer
| (Install.pkg).

If you look at (what in my mind are) the parallels in Windows
(exes/installers) and Unix (tarballs) I don't have to perform any
actions on them at all prior to verifying the signatures. I'd like to
have the same luxury for the dmg file.

In addition to the above, the 1 signature only covers that 1 item, there
are other items in the dmg file.

Now that said, perhaps it is my relative unfamiliarity with the dmg
format that is causing my concern. It seems to me (on experience and
some reading, both limited) that there are "things" that happen when I
open one, similar to the autoplay feature for optical discs in Windows.
That's part of the reason I'd like to be able to verify the dmg before
opening it.

If that last concern is misplaced, then I am less hesitant, however it
would still seem to be a good operational practice to sign the whole
blob. Admittedly that is less tidy, as now you have two files to keep
track of instead of one, but since I use all 3 OS', it's not
particularly burdensome from my perspective.


More information about the Gnupg-users mailing list