On Tue, 2008-03-04 at 19:25 -0800, Alexander Sotirov wrote: > On Mon, Mar 03, 2008 at 09:02:59PM +0100, Andreas K?hler wrote: > > As you can see the GnuCash 2.2.4 release announcement contained > md5sums > > and was signed with my private gpg key. I hope that is better than > > before. >
Sorry I sent my email before I got announce from the list. I was watching the http://www.gnucash.org/pub/gnucash/sources/stable/ I saw the tarballs for 2.2.4 and noticed that the 2.2.x series don't have .sig files. Thanks for the md5 sums though. > This is certainly better than nothing, but the MD5 algorithm has been > broken > and should not be used in the way you're using it. An MD5 collision > attack can > be used to generate two tar.gz files with different contents and the > same MD5 > hash. Even if a user verifies your signature of the release > announcement and > checks the MD5 signature, there is no guarantee that the file has not > been > replaced with a malicious one. > > See http://www.mathstat.dal.ca/~selinger/md5collision/ for more > details. > > > Instead of signing the MD5 hashes, you should sign the tar.gz files with: > > gpg -b file.tar.gz > > This will generate a new file called file.tar.gz.sig, which can be verified > with: > > gpg --verify file.tar.gz.sig > That's what used to be done in the past (2.0.x through 2.2.0) and the gpg key on the website is the former release mgr, pub 1024D/18EAD875 2006-07-10 uid Chris Lyttle <[EMAIL PROTECTED]> sub 2048g/67796FEE 2006-07-10 > Take care, > Alex Thanks Andrew _______________________________________________ gnucash-devel mailing list [email protected] https://lists.gnucash.org/mailman/listinfo/gnucash-devel
