Re: [Exim] OpenPGP signatures on Exim releases

Top Page
Delete this message
Reply to this message
Author: Florian Weimer
Date:  
To: exim-users
Subject: Re: [Exim] OpenPGP signatures on Exim releases
Philip Hazel <ph10@???> writes:

> Do you need more?


I think MD5 sums in release announcements are no longer sufficient.
Someone might distribute a forged announcement and put a trojaned
version on the FTP servers.

> If so, it will take time for me to obtain, install, learn about, and
> use cryptographic signing software.


Installing GnuPG on a GNU/Linux or recent Solaris system (Solaris 8
with /dev/random patch and Solaris 9 are fine) is straightforward.
But you might want to wait for the 1.2.1 version which corrects a few
bugs.

Anyway, I can post list of steps required to sign Exim releases using
OpenPGP. Interested?

> Not to mention organizing the appropriate keys.


You don't have to obtain a certification from some well-known CA. It
would be sufficient if Ian Jackson signed your key (I think he's still
at Cambridge). ;-)

--
Florian Weimer                       Weimer@???
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898