[tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Jan 21 20:19:24 UTC 2011
#2340: GPG signatures do not authenticate filenames
--------------------------------------+-------------------------------------
Reporter: rransom | Owner: rransom
Type: defect | Status: needs_review
Priority: critical | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
--------------------------------------+-------------------------------------
Comment(by Sebastian):
I think if we changed the way we do signatures we will just confuse most
of those users that are already confused about signatures even more,
without actually offering much better protection. For the careful gpg
user, the date of the signature should be a good indication that something
is wrong.
That said, if we want to improve the situation, the script should probably
add a date field, so that people can get suspicious when the date is off
(note that they could already do that with the plain gpg signatures, but
looking into many different places makes things just more complicated).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2340#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list