Hello,
I have been trying to follow the advice given on your
integrity web page below:
https://www.gnupg.org/download/integrity_check.html
<https://www.gnupg.org/download/integrity_check.html>
"Comparing Checksums
If you are not able to use an old version of GnuPG,
you can still verfiy the file's SHA-1 checksum. This
is less secure, because if someone modified the files
as they were transferred to you, it would not be much
more effort to modify the checksums that you see on
this webpage. As such, if you use this method, you
should compare the checksums with those in release
announcement. This is sent to the gnupg-announce
mailing list (among others), which is widely mirrored.
Don't use the mailing list archive on this website, but
find the announcement on several other websites and
make sure the checksum is consistent. This makes it
more difficult for an attacker to trick you into installing
a modified version of the software."
I have been trying to verify the checksums posted at
the above listed web site by checking for the announce
messages in the gnupg-announce mailing list.
Unfortunately there doesn't seem to be any anouncements
for the following tarballs:
pinentry-0.9.7.tar.bz2
dirmngr-1.1.1.tar.bz2
npth-1.2.tar.bz2
libassuan-2.4.3.tar.bz2
libksba-1.3.4.tar.bz2
libgpg-error-1.24.tar.bz2
I am checking for the checksums at the web archive https://marc.info/.
I have done a google search and can't seem to find any other site
that archives messages from gnupg-announce.
Have you stopped releasing announcements for certain tarballs or
am I missing something?
Dd
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
