On Fri, 19 Dec 2014 18:22, [email protected] said: > While we're on the subject -- it might be nice for GnuPG to be able to > issue proper Authenticode-signed Windows binaries. Code signing > certificates are fairly affordable although the paperwork is a headache.
Actually we (Intevation in his case) do this for Gpg4win. People seem to like this although I do not see a real security benefit in it. If you look at the download stats for December | Version | tar/exe | sig | % | |------------+---------+------+----| | 2.1.0/tar | 837 | 419 | 50 | | 2.0.26/tar | 4770 | 1635 | 34 | | 1.4.18/tar | 1451 | 429 | 30 | | 1.4.18/exe | 635 | 110 | 17 | (which also include automated downloads from mirrors not using rsync) It shows that less than 20% of the Windows users check the signatures. It might of course be their first gpg download and thus can't make use of the signature anyway. However, given the number of the tarball downloads it is obvious verification of signatures is not a standard procedure. Thus I do not think that Authenticate would harm even given that it is possible to buy the private key for an existing Authenticode certificate. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
