Arrakistor wrote: > Nick, > > Yes but the sig is only as good as the person you trust. That is why I > haven't released Torpark 2.0b2 with 0.1.2.1-a, I simply don't have a > trusted binary. I don't think they yet have a pgp plugin for NSIS > language yet. I'll see what else can be done for verifying sigs.
You're not going to get a better way to validate trust than a pgp signature. If you don't trust the tor signing release keys, you shouldn't trust the code they're signing. Some random .onion address given over a mailing list isn't a secure way to verify anything. Someone can compromise the server on the other end of the .onion address. It sounds like you're building an automatic updater for your system. I suspect that you should be very careful as you're introducing a method for automatically downloading binaries and potentially running untrusted code. You need to verify the pgp signature of builds just as you would source code before building. At the cost of repeating what Nick said, you're verifying pgp signatures already already, right? Something, Jacob Appelbaum