How to get your first key signed
peter at digitalbrains.com
Thu Oct 1 14:32:37 CEST 2015
On 01/10/15 13:08, Bob Henson wrote:
> If the program has been altered the signature will fail, will it not?
Well, first of all, a checksum is not a cryptographic hash. It has
different properties: a checksum usually has no collision resistance.
Which is why the designers of WEP should have never chosen CRC-32 to
protect their data, especially since said data was encrypted with a
stream cipher. Anyway, it was not the most important shortcoming of
WEP, so it doesn't truly matter ;).
And a signature by a key has a lot of extra information that simply
putting a hash value on the website where you offer the download does
not have. Just a hash value on the website does not tell me who
calculated that hash value, and whether there is some MITM between me
and the website.
 Stream ciphers allow you to flip single bits in the plaintext. And
when I flip a bit in a piece of data, I know exactly which bit I need to
flip in the CRC-32 checksum to make the checksum correct again. So the
CRC-32 was completely useless for protection against malicious bitflips
in the plaintext it was supposed to protect.
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users