Yes, I also wanted to do this, I read 2 posts, doubting the procedure. I am not sure, if they are right and I would be grateful to read your opinions.
"how you can trust this?!?!?
1- you download a program to verify other programs
2- you use a .sig + public key to verify that your verifier program is valid
3- you use that valid program to verify other files
now here we have 2 problems:
1- what if the program is fake, the sig file and public key too? seems all ok but isn’t
2-let’s say that the verifier program is correct how can you use it?
it will tell you that program and .sig file match but it doesnt tell you who made exe and sig file
the only way to trust it is to meet everyone.
you meet GnuPG author to get public key to be sure that everything is correct but this way you don’t need anymore to verify download you can simply get exe from him
same with tor you have to meet author to get VALID public key"
“No.No.No. Don’t trust this security model. WHY? Just because it is wrong in one important point …HTTPS and SSL/TLS and certificate trust chain is compromised by default. Your Windows if fully of backdoored APIs and undocumented too!!! You all know by WHO! What is compromised first in SSL TLS and every standard key generation API?..This is random number generator used for key generation and protocol implementation by itself.
What this means?=>> All your standard secured connection can be intercepted MITM injected with what is need for successful attack of your system! What can be injected? ->>Fake content like backdoor in you downloaded file from legit domain with SSL and fake corresponded well to this file MD5/HASH128-512 or PGP key or Spy can inject valid signed but backdoored file or just inject poisoned JS, java drive by, flash exploit or else. Is not very good idea to trust every file or page if you want to be more protected. VS this you can use sandbox and monitoring tools to check you downloaded file behavior, or you can catch this file with strong setup rules in your behavior ruled antivirus tool and firewall, or you can install this file first in freezed OS with tools like deepfreeze and then monitor for one day its behavior to make decision is it clean or not and then do install in real OS. Captured before test Virtual OS can be used too for the same test task.