Verifying and checksumming new release is somewhat cumbersom

Stefan Claas spam.trap.mailing.lists at gmail.com
Fri Nov 27 23:07:12 CET 2020


On Thu, Nov 26, 2020 at 9:18 PM Werner Koch via Gnupg-users
<gnupg-users at gnupg.org> wrote:
>
> Hi,
>
> and thanks for asking.
>
> On Thu, 26 Nov 2020 19:12, john doe said:
>
> > Is there a URL to download those sha1sums and those public keyss as  files?
>
> The problem with sha1sums is that a single publication would be easy to
> fake.  The only known countermeasure is to widely distribute them.  We
> do have them on the website as you noticed, they are send out by signed
> mail to several thousand subscribers, and our and other mail archives
> carry the release announcement with the checksums.
>
> No, there is no single file with the checksums because that would be a
> too easy target for an attacker.

Maybe not common among programmers, but you could easily clearsign
the shasums text file and then use a public time stamping service additionally,
thus first time users would know that the signed shasums file would have been
actually signed at day x time y, if you would also provide the .ots file.

https://opentimestamps.org

Regards
Stefan



More information about the Gnupg-users mailing list