PGP .exe file signatures
John Ralls
jralls at ceridwen.us
Sat Dec 26 11:21:09 EST 2015
> On Dec 26, 2015, at 6:49 AM, Jamestk <davidjamestk at hotmail.co.uk> wrote:
>
> Hello folks,
>
> In the process of upgrading all of my software and wanted to check .exe
> files before installation.
>
> Some sites offer a pgp signature which is used to sign and verify the
> executable, is this something that GNU cash lists or is it not really
> needed?
>
> Searched the main web site and source forge although did find sha1 text file
> but this is only for tar ball.
>
> Thanks and Happy New Year to all.
We're not code-signing the Windows package at present. I agree that it would be a good idea and worth examining. In the meantime I can add a sha256 hash for it in the README. Sourceforge already offers a sha1 on each file, but that's generated on the fly and is only useful for confirming that you got a clean download; it doesn't assure you that the file hasn't been tampered with. Of course, if someone can replace the Windows package they can replace the README as well, so I suppose that doesn't provide any better assurance.
FWIW the Mac Intel GnuCash.app *is* code-signed with an Apple developer certificate.
Regards,
John Ralls
More information about the gnucash-user
mailing list