Hi, On Saturday 20 December 2014 12:21:08 Werner Koch wrote: > Thus I do not think that Authenticate would harm even given that it is > possible to buy the private key for an existing Authenticode certificate.
I actually love authenticode. It means that you can do some steps to get to the "Operating System" level of trust. Sure you can buy your way into this but that is the Operating System level of trust that is asserted through HTTPS connections / Windows Update and so on. It is weak, i grant you that, but it is at least _some_ automatic authentication of binaries. I'm playing a game on a Windows Machine currently (Archeage) that requires administrative access for each launch!,.. and they did not even care to sign their binary. This is just security sadism. (I keep my GNU/Linux partitions on which i do any work or store secrets encrypted) In a different project at intevation we signed all binaries in our installer keeping packaging and building on different systems. As we won't expose our private keys to propietary systems that meant running wine to create the nsis uninstaller, Maybe this is also something for the future of gpg4win. (Btw. We use osslsigncode which is a really great tool that allows you to create authenticode PKCS#7 signatures under GNU/Linux.) With regards to the original question. I'd be happy to sign your experimental gnupg only installers with our code signing certificate (and be quick about it) after verifying your signature. Intevation trusts g10code (we heavilly use gnupg internally where the source is verified by Werner) Regards, Andre
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
