On 11/06/2015 16:47, OpenSSL wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1OpenSSL version 1.0.2b released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2b of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2b is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2b.tar.gz Size: 5281009 MD5 checksum: 7729b259e2dea7d60b32fc3934d6984b SHA1 checksum: 9006e53ca56a14d041e3875320eedfa63d82aba7 The checksums were calculated using the following commands: openssl md5 openssl-1.0.2b.tar.gz openssl sha1 openssl-1.0.2b.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVeZNdAAoJENnE0m0OYESRYscIAKrJik5qyPifnVhWRHVTUXot NYhfl+h+ooHequRyz9ug7Wz3vdUioftuOYlX0eJBBZ+YvskVk27U9tjY+plFnRjq vpdNKfa6bSL9rjztZObupvbCnhYRdDkcJRqLi8HfPb53UlZS/ALIbpDi1FPqIErs Bc7D/toD0nDoQUONLVQw/aSZNWWCaACO09326K2xX/jZGEsQbhCWdlkERfO3RzRW RBN0RnR+k8XBaqy6TRELF1vlYdHe83Dqxg1h3KBTBJ+yOFXvQblPoZO4GnkAyoNA 8EGhbzgWsjg6OIroUbnbbq50avvya/2eDmY+N3gNg5wOrYBNZlWShy91WGZ4378= =rcRW -----END PGP SIGNATURE-----
Note: Why are OpenSSL releases still signed only with MD5 and SHA1? Even the gpg signature of the tarball is SHA1-based. Why isn't there also a detached S/MIME / CMS signature for the tarballs, preferably using a code/object signingcertificate from someone like GlobalSign. i.e. Something that can be verified with the command: old-trusted-openssl smime -verify -inform PEM -in \ openssl-1.0.2b.tar.gz.sig -binary -content \ openssl-1.0.2b.tar.gz -out /dev/null -CAfile \ /etc/ssl/certificates/foo.pem (add option "-purpose codesign" once implemented by the users "old-trusted-openssl"). If old-trused-openssl is a recent version, a similar "old-trused-openssl cms" command can also be used, but verify compatibility with old copies should be maintained for a few years (don't prevent upgrading openssl because the users needs to upgrade openssl). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
