-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear Alex, A bit of personal history:- I am a long time but intermittent user of PGP. Originally on VMS, now Mac. So I am used to public keyservers, and somewhat lament their becoming less reliable and less well populated. I used PGP Corp's mail plugin for a long time until they discontinued it, and in my view wrecked the important bits of PGP with their automatic company wide transparent encryption. I was also unimpressed with their keyserver implementation. I'm new-ish to GPG and use it via command line and Emacs Tools (EPG) as well as using the mail plugin, which as you know so well, fell over every new version of OS X. So to your questions by number 1. I never heard of Sparkle till just now. On the face of it I can't believe a pop-up trojan can't be faked in spite of Sparkle, and given that the mail plugin used to come from a different source -- was it Stéphane Corthésy? Every OS X version change entailed an exciting wait while he found a path through the lack of support for external mail plugins. I expected someone new, and I'm pleased you are here, but you can see why I would be careful. 2. I know that now, but I was looking on keyservers for signatories to GPG Tools public key. Look up Phil Zimmermann or Greg Rose to spot the difference. Might I suggest you and other committers and supporters populate a web of trust for GPG Tools 3. OK, I don't need to add anything. Except you might change the installer script to leave the signed package in Downloads - that will help after the horse is bolted. Or you could divide the install process to two parts. Download (user optionally checks signature) then Install. Apple sets a bad example with software update. I often use the combo to check for authenticity and integrity. 4. Luckily that terminal session is still running:- Before installing GPG2 ________________________________________ EPro:~ elliott$ gpg --version gpg (GnuPG) 1.4.10 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 ________________________________________ After:- EPro:~ elliott$ gpg --version dyld: Library not loaded: /usr/local/lib/libusb-0.1.4.dylib Referenced from: /usr/local/bin/gpg Reason: image not found Trace/BPT trap ________________________________________ So I was scared to uninstall GPG2 and be left with nothing. I got over that once I know to call it GPG2 and I'm happy now. That looks like I had a very old GPG -- I forget where I got it from, so it may not be a common problem. As a side note that may be helpful to other self-flagellants -- To restore the encryption tools in Aquamacs Emacs, go to Options » Customize Aquamacs » Groups matching Regexp... EPG and change Epg Gpg Program from gpg to gpg2 and save it. On 3 Mar 2011, at 22:41, Alexander Willner wrote: > Dear Elliott, > >> that smells of Trojan. So I went looking for signatures and a bulging web of >> trust. No record on any of the usual places. > > thank you for pointing this out. Here is what we did: > > 1. "I just got here today via a pop-up in GPG Mail". Sparkle updates are > digitally signed. So there is "no" chance that GPGMail will show you such a > pop up when the update is not released by the person with the according > secret key. > > 2. "No record on any of the usual places.". All well known sites (sente.ch, > gnupg.org, mac.sf.net, gpgmail.org) are linking or forwarding to > gpgtools.org. Additionally all relevant update sites (macupdate, iusethis, > cnet, heise, ...) are linking to gpgtools.org and users can add comments > there. > > 3. "could I find the download to test the digest after install was > complete?". All files released by us are digitally signed using GnuPG and the > checksum (SHA-1) is also distributed using all above mentioned channels. But > you are right, the combination of Sparkle update and checksum doesn't make > sense. > > 4. "why did you have to delete the old GPG on my machines". There was a great > demand to be able to uninstall MacGPG2 again but the files were distributed > over the file system (as usual). So Benjamin decided to copy (almost) > everything related to MacGPG2 to /usr/local/MacGPG2 for now and the future. > In this context the installer is removing the old MacGPG2/gnupg2 version. > Sorry if this broke anything. > >> but it was a scary introduction. > > Do you have any suggestions on how to deal with this issue? > > Br, Alex > > On 03.03.2011, at 20:54, Elliott Roper wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I just got here today via a pop-up in GPG Mail. It said you were the new >> custodians and an update was available. Taken together, that smells of >> Trojan. So I went looking for signatures and a bulging web of trust. No >> record on any of the usual places. >> >> ..and, I went ahead and did the GPG-mail version update by clicking on all >> the clicky things. I kept a record of the SHA-1 digest off your web page, >> but could I find the download to test the digest after install was complete? >> That did not fill me with confidence. >> >> .. OK, you call it GPG2, and I did manage to fix up my Emacs options, but >> why did you have to delete the old GPG on my machines? >> >> OK I'm now happy enough with the provenance of the whole package and mailing >> list and all, but it was a scary introduction. >> >> Elliott Roper >> phone: +44 1663 747334 >> mobile +44 7796 171018 >> www.yrl.co.uk >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG/MacGPG2 v2.0.17 (Darwin) >> Comment: GPGTools - http://gpgtools.org >> >> iEYEARECAAYFAk1v8hAACgkQflyp5I5Z4ki1OwCg+qV5HhEPuew6n5fHaMnIZTbT >> VeIAoOmbIzy56lVz3+4Ka5EpN4CmB2QH >> =bfBp >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> gpgtools-users mailing list >> [email protected] >> FAQ: http://www.gpgtools.org/faq.html >> Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users >> Unsubscribe: >> http://lists.gpgtools.org/mailman/options/gpgtools-users/[email protected]?unsub=Unsubscribe&unsubconfirm=1 >> >> This email sent to: [email protected] > Elliott Roper phone: +44 1663 747334 mobile +44 7796 171018 www.yrl.co.uk - -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk1wKJsACgkQflyp5I5Z4kgsfACfSIG76OC6wAjzmPb99r8FCcek FGsAmwQgz7hYhNo5H/YmtW7prRiCLQtK =pgp0 - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk1wKNwACgkQflyp5I5Z4khLEQCgt+X6P/yquP5dyAP1q3PatWS4 H10An2eN+hDSKLtKvCVW4TwaneTiDoyv =DuKS -----END PGP SIGNATURE----- _______________________________________________ gpgtools-users mailing list [email protected] FAQ: http://www.gpgtools.org/faq.html Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users Unsubscribe: http://lists.gpgtools.org/mailman/options/gpgtools-users/[email protected]?unsub=Unsubscribe&unsubconfirm=1 This email sent to: [email protected]
