[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re[2]: hidden services spoof
Yes, I am building an updater. If phobos finishes the manual on how to
get it to compile under mingw, I will compile, sign, and release them
myself.
And yes, I am verifying the sigs I use in the release.
Regards,
Arrakistor
Monday, September 11, 2006, 6:27:38 PM, you wrote:
> Arrakistor wrote:
>> Nick,
>>
>> Yes but the sig is only as good as the person you trust. That is why I
>> haven't released Torpark 2.0b2 with 0.1.2.1-a, I simply don't have a
>> trusted binary. I don't think they yet have a pgp plugin for NSIS
>> language yet. I'll see what else can be done for verifying sigs.
> You're not going to get a better way to validate trust than a pgp
> signature. If you don't trust the tor signing release keys, you
> shouldn't trust the code they're signing.
> Some random .onion address given over a mailing list isn't a secure way
> to verify anything. Someone can compromise the server on the other end
> of the .onion address.
> It sounds like you're building an automatic updater for your system.
> I suspect that you should be very careful as you're introducing a method
> for automatically downloading binaries and potentially running untrusted
> code.
> You need to verify the pgp signature of builds just as you would source
> code before building.
> At the cost of repeating what Nick said, you're verifying pgp signatures
> already already, right?
> Something,
> Jacob Appelbaum