Quoth Philip Hazel on Wed, Oct 09, 2002 at 11:51:29 +0100
> On Wed, 9 Oct 2002, Florian Weimer wrote:
> > In the wake of the recent trojans, it might be a very good idea to
> > cryptopgraphically sign Exim source code releases (and the release
> > announcements).
>
> For many years I have published the MD5 checksums with every
> announcement.
Sadly it does not seem to be the case anymore. However, just signing the
MD5 will be enought.
> Do you need more? If so, it will take time for me to obtain, install,
> learn about, and use cryptographic signing software. Not to mention
> organizing the appropriate keys.
The problem with both the Sendmail and Openssh trojans that the core
servers were compromise and the hacker was able re-created the MD5 using
his own wormed copy of the software.
If you want to use GPG, then signing is really easy once you have a key:
$ gpg --gen-key
[... follow what it says ...]
$ gpg -sb file
[creates a file.sig which is the signature]
$ gpg --verify file.sig file
[verifies the signature]
Of course, we will all need to get your public key...
--
yann@??? -=*=- www.kierun.org
PGP: www.kierun.org/pgp/key-kierun
PGP: 009D 7287 C4A7 FD4F 1680 06E4 F751 7006 9DE2 6318
IRC: nick kierun, server spod.uk.amiganet.org, channel #sanctus