Hi all, I was setting up a new computer (so I have no *existing* trusted gpg installation to verify a signature), and I was attempting to follow the instructions to perform an integrity check on the 2.4.8 tarbar on gnupg.org <https://www.gnupg.org/download/>. The instructions state:
> If you are not able to use an old version of GnuPG, you can still verify > the file's SHA-1 checksum. This is less secure, because if someone modified > the files as they were transferred to you, it would not be much more effort > to modify the checksums that you see on this webpage. As such, if you use > this method, you should compare the checksums with those in release > announcement. This is sent to the gnupg-announce mailing list (among > others), which is widely mirrored. Don't use the mailing list archive on > this website, but find the announcement on several other websites and make > sure the checksum is consistent. This makes it more difficult for an > attacker to trick you into installing a modified version of the software. However, I cannot locate any release announcement for 2.4.8 <https://dev.gnupg.org/source/gnupg/browse/master/NEWS>; the NEWS file just goes straight from 2.4.6 to 2.5.0. All I can find online anywhere is a Reddit thread <https://www.reddit.com/r/GnuPG/comments/1lyd3ot/no_announcement_for_gnupg_248/> of someone asking why there was no release announcement and not getting an answer. Is there another source I can reference for the checksum? As it stands, it looks like I might have to install an older version for which I can find a release announcement, then use the older version to validate the signature on the newer release. Thanks, Andrew
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
