On Sat, 27 Jul 2013 07:22, hhhob...@securemecca.net said: > https://dl.acm.org/citation.cfm?id=2382230
Thanks for the pointer. Actually, I was not aware of this article before I red the Yarom/Falkner paper. I would have appreciated if Zhang et al. had notified me of the problem, so that we could have fixed it already last year. > For a second corroborating source of the SHA1 hashes and file > sizes look here for the current and potential new ones: A note about the Intevation distribution key: For quite some time I signed the installer files using my usual dist key. In fact I built the installer on my machines. Then some people demanded that the installer should be code signed so that Windows does not anymore print a warning about an unknown vendor. Intevation found that argument convincing and purchased a signing key. Thus they now do the release and the signing. That is easier and not less secure than if I would build it, send it to them for code signing, receiving it back and OpenPGP sign the exe files. BYW, only about 10% of the Gpg4win downloaders also download the .sig file. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
