Verifying and checksumming new release is somewhat cumbersom
spam.trap.mailing.lists at gmail.com
Fri Nov 27 23:07:12 CET 2020
On Thu, Nov 26, 2020 at 9:18 PM Werner Koch via Gnupg-users
<gnupg-users at gnupg.org> wrote:
> and thanks for asking.
> On Thu, 26 Nov 2020 19:12, john doe said:
> > Is there a URL to download those sha1sums and those public keyss as files?
> The problem with sha1sums is that a single publication would be easy to
> fake. The only known countermeasure is to widely distribute them. We
> do have them on the website as you noticed, they are send out by signed
> mail to several thousand subscribers, and our and other mail archives
> carry the release announcement with the checksums.
> No, there is no single file with the checksums because that would be a
> too easy target for an attacker.
Maybe not common among programmers, but you could easily clearsign
the shasums text file and then use a public time stamping service additionally,
thus first time users would know that the signed shasums file would have been
actually signed at day x time y, if you would also provide the .ots file.
More information about the Gnupg-users