Nick, Yes but the sig is only as good as the person you trust. That is why I haven't released Torpark 2.0b2 with 0.1.2.1-a, I simply don't have a trusted binary. I don't think they yet have a pgp plugin for NSIS language yet. I'll see what else can be done for verifying sigs.
Regards, Arrakistor Monday, September 11, 2006, 4:49:26 PM, you wrote: > On Mon, Sep 11, 2006 at 04:10:27PM -0500, Arrakistor wrote: >> I am writing an updater for tor to automatically grab the latest >> version. One problem I am coming across is where to host it so they >> cannot be spoofed. I was thinking of putting it at a server in a >> .onion address. How easily can a node in the tor network be spoofed? >> Is there a better solution than hosting the tor updates inside a >> .onion server? > Checking the PGP signature on the release should be enough to detect > fake updates. > (You've been checking PGP signatures already, right?)
