gpg signatures for release tarballs

Andrew Duggan lists at
Tue Mar 4 22:42:28 EST 2008

On Tue, 2008-03-04 at 19:25 -0800, Alexander Sotirov wrote:

> On Mon, Mar 03, 2008 at 09:02:59PM +0100, Andreas K?hler wrote:
> > As you can see the GnuCash 2.2.4 release announcement contained
> md5sums
> > and was signed with my private gpg key.  I hope that is better than
> > before.

Sorry I sent my email before I got announce from the list.  I was
watching the  I saw the tarballs
for 2.2.4 and noticed that the 2.2.x series don't have .sig files.
Thanks for the md5 sums though.  

> This is certainly better than nothing, but the MD5 algorithm has been
> broken
> and should not be used in the way you're using it. An MD5 collision
> attack can
> be used to generate two tar.gz files with different contents and the
> same MD5
> hash. Even if a user verifies your signature of the release
> announcement and
> checks the MD5 signature, there is no guarantee that the file has not
> been
> replaced with a malicious one.
> See for more
> details.
> Instead of signing the MD5 hashes, you should sign the tar.gz files with:
>   gpg -b file.tar.gz
> This will generate a new file called file.tar.gz.sig, which can be verified with:
>   gpg --verify file.tar.gz.sig

That's what used to be done in the past (2.0.x through 2.2.0) and the
gpg key on the website is the former release mgr, 
pub   1024D/18EAD875 2006-07-10
uid                  Chris Lyttle <chris at>
sub   2048g/67796FEE 2006-07-10

> Take care,
> Alex



More information about the gnucash-devel mailing list