John Clizbe wrote: > Your #3 comment is confusing. There is no .SIG to download if verifying > with sha1sum. You run sha1sum against the file you wish to verify and > compare the program output with the published value. > > Are you proposing some MITM attack of a replaced installer executable > with an /identical/ SHA-1 value?
Alternately, he could be implying an active MitM attack, where the attacker is intercepting both the downloaded hash value (replacing it with the trojaned version's hash value) and the application itself (replacing it with a trojaned version). That said, if you're presently being targeted by people who are capable of intercepting and modifying your network traffic in realtime, neither GnuPG nor Authenticode signatures can help you. You need professional help: lawyers and security geeks will help you an awful lot more than HTTPS or Authenticode. > sha1sum and md5sum are widely available as source. If you're so > committed to this verified and signed thing that you're unwilling to > trust anything, you probably should look into building some things of > your own. Insert mandatory "reflections on trusting trust" reference here. The sentiment of "I must build it from source if I'm going to trust it" is great, but then you have to ask questions about your compiler, your system libraries, etc., until you're left hand-hacking Assembly instructions for a low transistor count CPU you've personally lithographed yourself from your own personal design. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users