Dear GnuPG Team, I challenged myself to verify all software that I download on my new machine is verified and signed. Sadly, Win-GnuPG let me down. Heres why.
Most software was distributed as a signed .exe file (using the Windows signed .EXE format). Some was not signed, but available via an https connection, allowing me to verify the originating source. And some, such as Gygwin, WinGnuPG, and sha1sum, required I already have GnuPG or sha1sum already installed to verify the .sig. Of course, this creates a bootstrapping problem for several reasons: 1) These .exe's aren't signed windows .exe's, 2) They aren't available via https (and thus can't ensure there isnt' a man-in-the middle), and 3) Even if I had sha1sum, I'd have to use http and not https to download the .sig file, allowing for the man-in-the-middle to deliver a checksum matching his hacked version. Using GnuPG to verify downloads does nothing, if I can't verify that GnuPG itself isn't valid. Now yes, you'll say "You're running Windows XP, that's your problem". Yes, yes, this is true. However, it still leaves the issue... why isn't an HTTPS download or a Signed Windows .EXE available, so that users can have confidence in what is downloaded from the GnuPG project? Regards, Doug Bateman P.S. Please CC: me on the reply if possible.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users