[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re[2]: hidden services spoof



Yes, I am building an updater. If phobos finishes the manual on how to
get it to compile under mingw, I will compile, sign, and release them
myself.

And yes, I am verifying the sigs I use in the release.

Regards,
 Arrakistor

Monday, September 11, 2006, 6:27:38 PM, you wrote:

> Arrakistor wrote:
>> Nick,
>> 
>> Yes but the sig is only as good as the person you trust. That is why I
>> haven't  released  Torpark 2.0b2 with 0.1.2.1-a, I simply don't have a
>> trusted  binary.  I  don't  think  they yet have a pgp plugin for NSIS
>> language yet. I'll see what else can be done for verifying sigs.

> You're not going to get a better way to validate trust than a pgp
> signature. If you don't trust the tor signing release keys, you
> shouldn't trust the code they're signing.

> Some random .onion address given over a mailing list isn't a secure way
> to verify anything. Someone can compromise the server on the other end
> of the .onion address.

> It sounds like you're building an automatic updater for your system.

> I suspect that you should be very careful as you're introducing a method
> for automatically downloading binaries and potentially running untrusted
> code.

> You need to verify the pgp signature of builds just as you would source
> code before building.

> At the cost of repeating what Nick said, you're verifying pgp signatures
> already already, right?

> Something,
> Jacob Appelbaum