Hi, Roger told during the SummerDev meeting that Windows users have no secure way to download a copy of GnuPG. I contacted Intevation, the company which hosts GnuPG and other projects and got the following info. If you are using Windows and want to download GnuPG, there is <URL:http://gpg4win.org/>. This site distributes copies for MS Windows (see <URL:http://gpg4win.org/download.html>). Binaries can be found at <URL:http://files.gpg4win.org/>. The download page offers OpenPGP signatures. But if an attacker is able to provide you with a forged version of GnuPG he also might be able to print the correct signature lines â So Intevation told me that maintaining a TLS site for gpg4win is too much effort. There are many projects which are hosted on that server. But the files site is also available with a self-signed certificate. What can you do to get gpg4win in a secure way? 1. Navigate to <URL:https://ssl.intevation.de/>. This site offers to download the self-signed certificate and is secured by a certificate signed by GeoTrust. 2. When the certificate is imported, you can visit <URL:https://files.gpg4win.org/> and choose the version (and the OpenPGP signature) to download. The browser should not show a warning, because the certificate is imported. 3. Now you can use the signature to verify the software. HTH, -- Jens Kubieziel http://www.kubieziel.de Einen Menschen erkennt man daran, wie er sich benimmt, wenn er sich nicht benehmen muÃ. Dirk Dautzenberg
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk