On Mon, Mar 03, 2008 at 09:02:59PM +0100, Andreas K?hler wrote: > As you can see the GnuCash 2.2.4 release announcement contained md5sums > and was signed with my private gpg key. I hope that is better than > before.
This is certainly better than nothing, but the MD5 algorithm has been broken and should not be used in the way you're using it. An MD5 collision attack can be used to generate two tar.gz files with different contents and the same MD5 hash. Even if a user verifies your signature of the release announcement and checks the MD5 signature, there is no guarantee that the file has not been replaced with a malicious one. See http://www.mathstat.dal.ca/~selinger/md5collision/ for more details. Instead of signing the MD5 hashes, you should sign the tar.gz files with: gpg -b file.tar.gz This will generate a new file called file.tar.gz.sig, which can be verified with: gpg --verify file.tar.gz.sig Take care, Alex
pgpJf9ONw7vYN.pgp
Description: PGP signature
_______________________________________________ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
