On 3/6/25 19:36, Jakob Bohm via Gnupg-users wrote:
Dear Mr. Backmeyer,
First, notice that Mr. Schweikle explained that their issue is being
forced
to use 3rd party builds of GnuPG because 3rd party software suites use
those
builds to /verify/ signatures, not make them.
I specifically said that verifying signatures is safe, at least with
respect to RNG issues.
Secondly, at least one of those suites (GIT) happens to also use their
private build for signing stuff, so (only) for those things are still
relevant.
Mr. Schweikle's statements suggested to me that he did not believe
Werner Koch's warning to be relevant to his use.
Mr. Koch stated that he cannot be certain that the RNG in those builds
is sound; Mr. Schweikle appeared to be dismissing the concern on the
grounds that he was not using them to generate keys.
Thirdly your rant would be much more helpful if you bothered to check
(and report) if the relevant ECDSA countermeasures. This is for you
to check as you are the one claiming to know about GnuPG internals.
I do not claim (much) knowledge of GnuPG internals. I specifically
quoted Werner Koch, who is probably *the* expert on GnuPG internals,
warning that he had never examined the RNG on those builds and of the
possibility of a bad RNG.
Further, checking those countermeasures would require tracking down all
of the Windows builds at issue and determining if they are "clean"
builds of upstream sources or if they have any patches that could affect
their security, and I do not use Windows.
It is *not* on me to check, because I do not use those builds of GnuPG.
-- Jacob
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
