>> since the installer has an "unknown publisher" I'd like to confirm (e.g., >> via md5 >> or sha1 hash) that the download I am getting from sourceforge hasn't been >> tampered with. Can someone point me to the hash sums? > >I don't have checksums for the files, sorry. But you raise a good >question... maybe we should be signing our Windows builds somehow? >Maybe we normally do that, but this build was built by a different >person? Or maybe we would have to go through some kind of crazy >certification system in order to get a certificate? > >I could always create gpg signatures of the .exe files the same way we >do for the tar balls.
Unfortunately this won't help many Windows users as most won't have ways of verifying the signature. Windows comes with a utility for computing MD5 and SHA1 checksums of files, so why not simply dedicate a page on pidgin.im to enumerate such sums of your releases? Then those who are concerned can verify their sourceforge download. (See keepass.info for a product site that does this) _______________________________________________ [email protected] mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
