On 05/31/2012 06:17 PM, Mark Doliner wrote: > On Tue, May 8, 2012 at 6:29 PM, BobH <[email protected]> wrote: >> since the installer has an "unknown publisher" I'd like to confirm (e.g., >> via md5 >> or sha1 hash) that the download I am getting from sourceforge hasn't been >> tampered with. Can someone point me to the hash sums? > > I don't have checksums for the files, sorry. But you raise a good > question... maybe we should be signing our Windows builds somehow? > Maybe we normally do that, but this build was built by a different > person? Or maybe we would have to go through some kind of crazy > certification system in order to get a certificate? > > I could always create gpg signatures of the .exe files the same way we > do for the tar balls.
The "proper" way to do this on Windows is to use Microsoft's Authenticode feature and a code signing certificate. The cert seems to start at $166 per year with Comodo, and I guess any vendor on this list would work: http://social.technet.microsoft.com/wiki/contents/articles/2592.aspx We'd need to decide if we wanted to commit to the cost of such a key to do this a way that would be handled automatically in Windows. Kevin
signature.asc
Description: OpenPGP digital signature
_______________________________________________ [email protected] mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
