I the GPG .exe for Windows and wanted to verify the SHA1 hash using the standard Windows fciv.exe utility. That worked fine, however I noticed that the website from where I downloaded it is not https:// by default and when I force it to https:// it warns that the certificate is not signed by a trusted cert authority. What is the best practice for verifying the download given the fact that someone can modify the packets of a non-https:// connection?
thanks - Matt
I’ve been trying to think of a way to accomplish this and the only thing I can come up with is to find an individual whom you trust and who can verify the hash for you via a separate channel such as over the phone, etc. I know this is probably very difficult, but difficulty is an unfortunate characteristic of good security.
Hopefully someone smarter than me can come up with another possibility?
you may have noticed that we have used a codesigning certificate to sign the installer,
this is as safe as using an TLS certificate. (Maybe even slightly safer because Microsoft accepts less codesigning certificates than TLS certificate if I remember correctly.)
You could try to build a web of trust connection, searching for an OpenPGP certificate that you know that signed the distribution OpenPGP certificate, this tool can help you find it: http://pgp.cs.uu.nl/mk_path.cgi
ps.: Like my response?
I appreciate if you flattr Gpg4win at https://flattr.com/thing/2053326 Thanks!