Hi,
I the GPG .exe for Windows and wanted to verify the SHA1 hash using the standard Windows fciv.exe utility. That worked fine, however I noticed that the website from where I downloaded it is not https:// by default and when I force it to https:// it warns that the certificate is not signed by a trusted cert authority. What is the best practice for verifying the download given the fact that someone can modify the packets of a non-https:// connection?
thanks - Matt
polymath@riseup.net
Matt,
I’ve been trying to think of a way to accomplish this and the only thing I can come up with is to find an individual whom you trust and who can verify the hash for you via a separate channel such as over the phone, etc. I know this is probably very difficult, but difficulty is an unfortunate characteristic of good security.
Hopefully someone smarter than me can come up with another possibility?
-Sean C.
Matt, Sean,
you may have noticed that we have used a codesigning certificate to sign the installer,
this is as safe as using an TLS certificate. (Maybe even slightly safer because Microsoft accepts less codesigning certificates than TLS certificate if I remember correctly.)
You could try to build a web of trust connection, searching for an OpenPGP certificate that you know that signed the distribution OpenPGP certificate, this tool can help you find it: http://pgp.cs.uu.nl/mk_path.cgi
Best Regards,
Bernhard
ps.: Like my response?
I appreciate if you flattr Gpg4win at https://flattr.com/thing/2053326 Thanks!