Mailing List Archive

MacOSX help - beginner installation, first time
Hi everyone,

I'm new to GnuPG. I'm trying to install it for MacOSX, and I have a
beginner's question.

***Do I need to verify more information about the validity of GnuPG if:

1.) The SHA-256 checksum on my Mac's Terminal matches the one on
SourceForge where the Mac installer (.dmg) file is?

2.) The Mac installer (.dmg) and the Mac signature for the installer
(.dmg.sig) are both verified on my Mac's separate program "GPG Suite" (made
by "https://gpgtools.org/")?

***The files in question are "GnuPG-2.2.20.dmg", "GnuPG-2.2.20.dmg.sig",
and "Enigmail_public_key.asc". The link for the Mac downloads is "
https://sourceforge.net/p/gpgosx/docu/Download/"


Thank you very much for your time!

Cyrus
Re: MacOSX help - beginner installation, first time [ In reply to ]
On 2020-05-23 at 03:42 -0400, Cyrus Segura via Gnupg-users wrote:
> Hi everyone,
>
>
> I'm new to GnuPG. I'm trying to install it for MacOSX, and I have a
> beginner's question.
>
>
> ***Do I need to verify more information about the validity of GnuPG
> if:
>
>
> 1.) The SHA-256 checksum on my Mac's Terminal matches the one on
> SourceForge where the Mac installer (.dmg) file is?
>
>
> 2.) The Mac installer (.dmg) and the Mac signature for the installer
> (.dmg.sig) are both verified on my Mac's separate program "GPG
> Suite" (made by "https://gpgtools.org/")?
>
>
> ***The files in question are "GnuPG-2.2.20.dmg",
> "GnuPG-2.2.20.dmg.sig", and "Enigmail_public_key.asc". The link for
> the Mac downloads is "https://sourceforge.net/p/gpgosx/docu/Download/"
>
>
> Thank you very much for your time!
>
> Cyrus


What's your threat model?
What are the capabilities of an attacker? Are they able to modify the
files you are being showed? (maybe by compromising the sourceforge page,
or tampering with your connection)


Let's suppose you verified the dmg file GnuPG-2.2.20.dmg has SHA-256
39970099819616d4b66a4e471ce26db97384948d0f375e02aae9d9de1d69baa5

You downloaded Enigmail_public_key.asc and checked it has fingerprint
4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B

You performed this checks with programs known to be honest (a
hard-to-prove problem on its own, we probably take that as an axiom).


The values above are those I am being shown there. If they match those
you view, that suggest either:
* your connection is not tampered with (you are shown the same as me)
* those values are tampered on its source. It's hard that both your and
my connection are tampered by the same actor, but perhaps they modified
the web server.
* I sent you the correct values I was seeing, but that malicious actor
changed them before/after they arrived into your inbox.
* I am part of the cabal that is trying to foil you into accepting those
malicious files


Even if those you got are the 'real' files, that only means those are
the ones produced by Patrick Brunschwig. Do you trust him? Do you trust
all the code he used to produce that package? Do you trust the build
machine or his key wasn't compromised?


Best regards


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MacOSX help - beginner installation, first time [ In reply to ]
Hi Cyrus,

1. This is the SHA256 checksum I get for GnuPG-2.2.20.dmg:

39970099819616d4b66a4e471ce26db97384948d0f375e02aae9d9de1d69baa5

2. The signature (GnuPG-2.2.20.dmg.sig) checked out for me:

gpg: Signature made Sat Mar 21 12:42:46 2020 CET
gpg: using RSA key 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B
gpg: Good signature from "Patrick Brunschwig <patrick@enigmail.net>" [full]
gpg: aka "Patrick Brunschwig <patrick@brunschwig.net>" [full]
gpg: aka "[jpeg image of size 13251]" [full]
Primary key fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B

Furthermore...

1. I have met Patrick Brunschwig in person, checked his government ID.
He also checked mine.
2. We both cross-signed each other's keys.
3. You can verify this by getting our pubkeys from pgpkeys.urown.net
4. You can check the OpenPGP signature on this email to verify my key is:
9386 A2FB 2DA9 D0D3 1FAF 0818 C0C0 7613 2FFA 7695


Now, of course you don't know me, but you now have a bit more info to go on.

Maybe there's someone in this list below that you know / trust to check ID
and / or verify key fingerprints? My key:

https://pgpkeys.urown.net/pks/lookup?op=vindex&search=0xC0C076132FFA7695

Meeting people in person and verifying key fingerprints is of course best,
but not always a realistic option for every piece of software :-)

Good luck!

Jonathan