[tor-talk] Getting a GnuPG version for Windows in a secure way
Jens Kubieziel
maillist at kubieziel.de
Tue Aug 6 20:34:36 UTC 2013
Hi,
Roger told during the SummerDev meeting that Windows users have no
secure way to download a copy of GnuPG. I contacted Intevation, the
company which hosts GnuPG and other projects and got the following info.
If you are using Windows and want to download GnuPG, there is
<URL:http://gpg4win.org/>. This site distributes copies for MS Windows
(see <URL:http://gpg4win.org/download.html>). Binaries can be found at
<URL:http://files.gpg4win.org/>.
The download page offers OpenPGP signatures. But if an attacker is able
to provide you with a forged version of GnuPG he also might be able to
print the correct signature lines …
So Intevation told me that maintaining a TLS site for gpg4win is too
much effort. There are many projects which are hosted on that server.
But the files site is also available with a self-signed certificate.
What can you do to get gpg4win in a secure way?
1. Navigate to <URL:https://ssl.intevation.de/>. This site offers to
download the self-signed certificate and is secured by a certificate
signed by GeoTrust.
2. When the certificate is imported, you can visit
<URL:https://files.gpg4win.org/> and choose the version (and the
OpenPGP signature) to download.
The browser should not show a warning, because the certificate is
imported.
3. Now you can use the signature to verify the software.
HTH,
--
Jens Kubieziel http://www.kubieziel.de
Einen Menschen erkennt man daran, wie er sich benimmt, wenn er sich
nicht benehmen muß. Dirk Dautzenberg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20130806/c9128923/attachment.sig>
More information about the tor-talk
mailing list