gpg signatures for release tarballs
Andrew Duggan
lists at clanduggan.org
Tue Mar 4 22:42:28 EST 2008
On Tue, 2008-03-04 at 19:25 -0800, Alexander Sotirov wrote:
> On Mon, Mar 03, 2008 at 09:02:59PM +0100, Andreas K?hler wrote:
> > As you can see the GnuCash 2.2.4 release announcement contained
> md5sums
> > and was signed with my private gpg key. I hope that is better than
> > before.
>
Sorry I sent my email before I got announce from the list. I was
watching the
http://www.gnucash.org/pub/gnucash/sources/stable/ I saw the tarballs
for 2.2.4 and noticed that the 2.2.x series don't have .sig files.
Thanks for the md5 sums though.
> This is certainly better than nothing, but the MD5 algorithm has been
> broken
> and should not be used in the way you're using it. An MD5 collision
> attack can
> be used to generate two tar.gz files with different contents and the
> same MD5
> hash. Even if a user verifies your signature of the release
> announcement and
> checks the MD5 signature, there is no guarantee that the file has not
> been
> replaced with a malicious one.
>
> See http://www.mathstat.dal.ca/~selinger/md5collision/ for more
> details.
>
>
> Instead of signing the MD5 hashes, you should sign the tar.gz files with:
>
> gpg -b file.tar.gz
>
> This will generate a new file called file.tar.gz.sig, which can be verified with:
>
> gpg --verify file.tar.gz.sig
>
That's what used to be done in the past (2.0.x through 2.2.0) and the
gpg key on the website is the former release mgr,
pub 1024D/18EAD875 2006-07-10
uid Chris Lyttle <chris at wilddev.net>
sub 2048g/67796FEE 2006-07-10
> Take care,
> Alex
Thanks
Andrew
More information about the gnucash-devel
mailing list