Hi, Roger told during the SummerDev meeting that Windows users have no secure way to download a copy of GnuPG. I contacted Intevation, the company which hosts GnuPG and other projects and got the following info.
If you are using Windows and want to download GnuPG, there is <URL:http://gpg4win.org/>. This site distributes copies for MS Windows (see <URL:http://gpg4win.org/download.html>). Binaries can be found at <URL:http://files.gpg4win.org/>. The download page offers OpenPGP signatures. But if an attacker is able to provide you with a forged version of GnuPG he also might be able to print the correct signature lines … So Intevation told me that maintaining a TLS site for gpg4win is too much effort. There are many projects which are hosted on that server. But the files site is also available with a self-signed certificate. What can you do to get gpg4win in a secure way? 1. Navigate to <URL:https://ssl.intevation.de/>. This site offers to download the self-signed certificate and is secured by a certificate signed by GeoTrust. 2. When the certificate is imported, you can visit <URL:https://files.gpg4win.org/> and choose the version (and the OpenPGP signature) to download. The browser should not show a warning, because the certificate is imported. 3. Now you can use the signature to verify the software. HTH, -- Jens Kubieziel http://www.kubieziel.de Einen Menschen erkennt man daran, wie er sich benimmt, wenn er sich nicht benehmen muß. Dirk Dautzenberg
-- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
