[tor-talk] Getting a GnuPG version for Windows in a secure way

Jens Kubieziel maillist at kubieziel.de
Tue Aug 6 20:34:36 UTC 2013


Roger told during the SummerDev meeting that Windows users have no
secure way to download a copy of GnuPG. I contacted Intevation, the
company which hosts GnuPG and other projects and got the following info.

If you are using Windows and want to download GnuPG, there is
<URL:http://gpg4win.org/>. This site distributes copies for MS Windows
(see <URL:http://gpg4win.org/download.html>). Binaries can be found at

The download page offers OpenPGP signatures. But if an attacker is able
to provide you with a forged version of GnuPG he also might be able to
print the correct signature lines …

So Intevation told me that maintaining a TLS site for gpg4win is too
much effort. There are many projects which are hosted on that server.
But the files site is also available with a self-signed certificate.

What can you do to get gpg4win in a secure way?
1. Navigate to <URL:https://ssl.intevation.de/>. This site offers to
   download the self-signed certificate and is secured by a certificate
   signed by GeoTrust.
2. When the certificate is imported, you can visit
   <URL:https://files.gpg4win.org/> and choose the version (and the
   OpenPGP signature) to download.
   The browser should not show a warning, because the certificate is
3. Now you can use the signature to verify the software.


Jens Kubieziel                                   http://www.kubieziel.de
Einen Menschen erkennt man daran, wie er sich benimmt, wenn er sich
nicht benehmen muß. Dirk Dautzenberg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20130806/c9128923/attachment.sig>

More information about the tor-talk mailing list