-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Elliott.
> 1. I never heard of Sparkle till just now. On the face of it I can't believe > a pop-up trojan can't be faked in spite of Sparkle, and given that the mail > plugin used to come from a different source -- was it Stéphane Corthésy? > Every OS X version change entailed an exciting wait while he found a path > through the lack of support for external mail plugins. I expected someone > new, and I'm pleased you are here, but you can see why I would be careful. And everybody should be that careful. It's an issue that not only matters for sparkle but for OS X and every other OS. For a trojan there is always a way to fake an update/password message . No one can replace the human brain (at the moment at least). The "exiting wait" will still continue (next BIG step is Mail 5 which comes with OS X Lion) as long as Apple won't prevent us from having to hack mail.app (either by providing a reliable and sufficient API or preventing us completely from loading plugins) Best regards Patrice Am 04.03.2011 um 00:48 schrieb Elliott Roper: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear Alex, > > A bit of personal history:- I am a long time but intermittent user of PGP. > Originally on VMS, now Mac. So I am used to public keyservers, and somewhat > lament their becoming less reliable and less well populated. I used PGP > Corp's mail plugin for a long time until they discontinued it, and in my view > wrecked the important bits of PGP with their automatic company wide > transparent encryption. I was also unimpressed with their keyserver > implementation. I'm new-ish to GPG and use it via command line and Emacs > Tools (EPG) as well as using the mail plugin, which as you know so well, fell > over every new version of OS X. > > So to your questions by number > 1. I never heard of Sparkle till just now. On the face of it I can't believe > a pop-up trojan can't be faked in spite of Sparkle, and given that the mail > plugin used to come from a different source -- was it Stéphane Corthésy? > Every OS X version change entailed an exciting wait while he found a path > through the lack of support for external mail plugins. I expected someone > new, and I'm pleased you are here, but you can see why I would be careful. > > 2. I know that now, but I was looking on keyservers for signatories to GPG > Tools public key. Look up Phil Zimmermann or Greg Rose to spot the > difference. Might I suggest you and other committers and supporters populate > a web of trust for GPG Tools > > 3. OK, I don't need to add anything. Except you might change the installer > script to leave the signed package in Downloads - that will help after the > horse is bolted. Or you could divide the install process to two parts. > Download (user optionally checks signature) then Install. Apple sets a bad > example with software update. I often use the combo to check for authenticity > and integrity. > > 4. Luckily that terminal session is still running:- > Before installing GPG2 > ________________________________________ > EPro:~ elliott$ gpg --version > gpg (GnuPG) 1.4.10 > Copyright (C) 2008 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Home: ~/.gnupg > Supported algorithms: > Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA > Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, > CAMELLIA192, CAMELLIA256 > Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > ________________________________________ > After:- > EPro:~ elliott$ gpg --version > dyld: Library not loaded: /usr/local/lib/libusb-0.1.4.dylib > Referenced from: /usr/local/bin/gpg > Reason: image not found > Trace/BPT trap > > ________________________________________ > > So I was scared to uninstall GPG2 and be left with nothing. I got over that > once I know to call it GPG2 and I'm happy now. > That looks like I had a very old GPG -- I forget where I got it from, so it > may not be a common problem. > > As a side note that may be helpful to other self-flagellants -- To restore > the encryption tools in Aquamacs Emacs, go to > Options » Customize Aquamacs » Groups matching Regexp... EPG and change Epg > Gpg Program from gpg to gpg2 and save it. > > On 3 Mar 2011, at 22:41, Alexander Willner wrote: > >> Dear Elliott, >> >>> that smells of Trojan. So I went looking for signatures and a bulging web >>> of trust. No record on any of the usual places. >> >> thank you for pointing this out. Here is what we did: >> >> 1. "I just got here today via a pop-up in GPG Mail". Sparkle updates are >> digitally signed. So there is "no" chance that GPGMail will show you such a >> pop up when the update is not released by the person with the according >> secret key. >> >> 2. "No record on any of the usual places.". All well known sites (sente.ch, >> gnupg.org, mac.sf.net, gpgmail.org) are linking or forwarding to >> gpgtools.org. Additionally all relevant update sites (macupdate, iusethis, >> cnet, heise, ...) are linking to gpgtools.org and users can add comments >> there. >> >> 3. "could I find the download to test the digest after install was >> complete?". All files released by us are digitally signed using GnuPG and >> the checksum (SHA-1) is also distributed using all above mentioned channels. >> But you are right, the combination of Sparkle update and checksum doesn't >> make sense. >> >> 4. "why did you have to delete the old GPG on my machines". There was a >> great demand to be able to uninstall MacGPG2 again but the files were >> distributed over the file system (as usual). So Benjamin decided to copy >> (almost) everything related to MacGPG2 to /usr/local/MacGPG2 for now and the >> future. In this context the installer is removing the old MacGPG2/gnupg2 >> version. Sorry if this broke anything. >> >>> but it was a scary introduction. >> >> Do you have any suggestions on how to deal with this issue? >> >> Br, Alex >> >> On 03.03.2011, at 20:54, Elliott Roper wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I just got here today via a pop-up in GPG Mail. It said you were the new >>> custodians and an update was available. Taken together, that smells of >>> Trojan. So I went looking for signatures and a bulging web of trust. No >>> record on any of the usual places. >>> >>> ..and, I went ahead and did the GPG-mail version update by clicking on all >>> the clicky things. I kept a record of the SHA-1 digest off your web page, >>> but could I find the download to test the digest after install was complete? >>> That did not fill me with confidence. >>> >>> .. OK, you call it GPG2, and I did manage to fix up my Emacs options, but >>> why did you have to delete the old GPG on my machines? >>> >>> OK I'm now happy enough with the provenance of the whole package and >>> mailing list and all, but it was a scary introduction. >>> >>> Elliott Roper >>> phone: +44 1663 747334 >>> mobile +44 7796 171018 >>> www.yrl.co.uk >>> >>> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin) >>> Comment: GPGTools - http://gpgtools.org >>> >>> iEYEARECAAYFAk1v8hAACgkQflyp5I5Z4ki1OwCg+qV5HhEPuew6n5fHaMnIZTbT >>> VeIAoOmbIzy56lVz3+4Ka5EpN4CmB2QH >>> =bfBp >>> -----END PGP SIGNATURE----- >>> >>> _______________________________________________ >>> gpgtools-users mailing list >>> [email protected] >>> FAQ: http://www.gpgtools.org/faq.html >>> Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users >>> Unsubscribe: >>> http://lists.gpgtools.org/mailman/options/gpgtools-users/[email protected]?unsub=Unsubscribe&unsubconfirm=1 >>> >>> This email sent to: [email protected] >> > > Elliott Roper > phone: +44 1663 747334 > mobile +44 7796 171018 > www.yrl.co.uk > > > > - -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > > iEYEARECAAYFAk1wKJsACgkQflyp5I5Z4kgsfACfSIG76OC6wAjzmPb99r8FCcek > FGsAmwQgz7hYhNo5H/YmtW7prRiCLQtK > =pgp0 > - -----END PGP SIGNATURE----- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > > iEYEARECAAYFAk1wKNwACgkQflyp5I5Z4khLEQCgt+X6P/yquP5dyAP1q3PatWS4 > H10An2eN+hDSKLtKvCVW4TwaneTiDoyv > =DuKS > -----END PGP SIGNATURE----- > > _______________________________________________ > gpgtools-users mailing list > [email protected] > FAQ: http://www.gpgtools.org/faq.html > Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users > Unsubscribe: > http://lists.gpgtools.org/mailman/options/gpgtools-users/[email protected]?unsub=Unsubscribe&unsubconfirm=1 > > This email sent to: [email protected] -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAk1wLHEACgkQKjggYk6OPIX34ACfaL93EDG0laVA61hNVqwzwZnB m1wAn2F2iEhODhMEAaGrmSzSG01t/N/f =NSgP -----END PGP SIGNATURE----- _______________________________________________ gpgtools-users mailing list [email protected] FAQ: http://www.gpgtools.org/faq.html Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users Unsubscribe: http://lists.gpgtools.org/mailman/options/gpgtools-users/[email protected]?unsub=Unsubscribe&unsubconfirm=1 This email sent to: [email protected]
