Dear Elliott, > that smells of Trojan. So I went looking for signatures and a bulging web of > trust. No record on any of the usual places.
thank you for pointing this out. Here is what we did: 1. "I just got here today via a pop-up in GPG Mail". Sparkle updates are digitally signed. So there is "no" chance that GPGMail will show you such a pop up when the update is not released by the person with the according secret key. 2. "No record on any of the usual places.". All well known sites (sente.ch, gnupg.org, mac.sf.net, gpgmail.org) are linking or forwarding to gpgtools.org. Additionally all relevant update sites (macupdate, iusethis, cnet, heise, ...) are linking to gpgtools.org and users can add comments there. 3. "could I find the download to test the digest after install was complete?". All files released by us are digitally signed using GnuPG and the checksum (SHA-1) is also distributed using all above mentioned channels. But you are right, the combination of Sparkle update and checksum doesn't make sense. 4. "why did you have to delete the old GPG on my machines". There was a great demand to be able to uninstall MacGPG2 again but the files were distributed over the file system (as usual). So Benjamin decided to copy (almost) everything related to MacGPG2 to /usr/local/MacGPG2 for now and the future. In this context the installer is removing the old MacGPG2/gnupg2 version. Sorry if this broke anything. > but it was a scary introduction. Do you have any suggestions on how to deal with this issue? Br, Alex On 03.03.2011, at 20:54, Elliott Roper wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I just got here today via a pop-up in GPG Mail. It said you were the new > custodians and an update was available. Taken together, that smells of > Trojan. So I went looking for signatures and a bulging web of trust. No > record on any of the usual places. > > ..and, I went ahead and did the GPG-mail version update by clicking on all > the clicky things. I kept a record of the SHA-1 digest off your web page, but > could I find the download to test the digest after install was complete? > That did not fill me with confidence. > > .. OK, you call it GPG2, and I did manage to fix up my Emacs options, but why > did you have to delete the old GPG on my machines? > > OK I'm now happy enough with the provenance of the whole package and mailing > list and all, but it was a scary introduction. > > Elliott Roper > phone: +44 1663 747334 > mobile +44 7796 171018 > www.yrl.co.uk > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > > iEYEARECAAYFAk1v8hAACgkQflyp5I5Z4ki1OwCg+qV5HhEPuew6n5fHaMnIZTbT > VeIAoOmbIzy56lVz3+4Ka5EpN4CmB2QH > =bfBp > -----END PGP SIGNATURE----- > > _______________________________________________ > gpgtools-users mailing list > [email protected] > FAQ: http://www.gpgtools.org/faq.html > Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users > Unsubscribe: > http://lists.gpgtools.org/mailman/options/gpgtools-users/[email protected]?unsub=Unsubscribe&unsubconfirm=1 > > This email sent to: [email protected]
smime.p7s
Description: S/MIME cryptographic signature
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ gpgtools-users mailing list [email protected] FAQ: http://www.gpgtools.org/faq.html Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users Unsubscribe: http://lists.gpgtools.org/mailman/options/gpgtools-users/[email protected]?unsub=Unsubscribe&unsubconfirm=1 This email sent to: [email protected]
