MacOSX help - beginner installation, first time

Ángel angel at pgp.16bits.net
Sun May 24 20:15:44 CEST 2020 

On 2020-05-23 at 03:42 -0400, Cyrus Segura via Gnupg-users wrote:
> Hi everyone,
> 
> 
> I'm new to GnuPG. I'm trying to install it for MacOSX, and I have a
> beginner's question.
> 
> 
> ***Do I need to verify more information about the validity of GnuPG
> if:
> 
> 
> 1.) The SHA-256 checksum on my Mac's Terminal matches the one on
> SourceForge where the Mac installer (.dmg) file is?
> 
> 
> 2.) The Mac installer (.dmg) and the Mac signature for the installer
> (.dmg.sig) are both verified on my Mac's separate program "GPG
> Suite" (made by "https://gpgtools.org/")?
> 
> 
> ***The files in question are "GnuPG-2.2.20.dmg",
> "GnuPG-2.2.20.dmg.sig", and "Enigmail_public_key.asc". The link for
> the Mac downloads is "https://sourceforge.net/p/gpgosx/docu/Download/"
> 
> 
> Thank you very much for your time!
> 
> Cyrus


What's your threat model?
What are the capabilities of an attacker? Are they able to modify the
files you are being showed? (maybe by compromising the sourceforge page,
or tampering with your connection)


Let's suppose you verified the dmg file GnuPG-2.2.20.dmg has SHA-256
39970099819616d4b66a4e471ce26db97384948d0f375e02aae9d9de1d69baa5

You downloaded Enigmail_public_key.asc and checked it has fingerprint
4F9F 89F5 505A C1D1 A260  631C DB11 87B9 DD5F 693B

You performed this checks with programs known to be honest (a
hard-to-prove problem on its own, we probably take that as an axiom).


The values above are those I am being shown there. If they match those
you view, that suggest either:
* your connection is not tampered with (you are shown the same as me)
* those values are tampered on its source. It's hard that both your and
my connection are tampered by the same actor, but perhaps they modified
the web server.
* I sent you the correct values I was seeing, but that malicious actor
changed them before/after they arrived into your inbox. 
* I am part of the cabal that is trying to foil you into accepting those
malicious files


Even if those you got are the 'real' files, that only means those are
the ones produced by Patrick Brunschwig. Do you trust him? Do you trust
all the code he used to produce that package? Do you trust the build
machine or his key wasn't compromised?


Best regards

More information about the Gnupg-users mailing list