I want to download gpg4win. I want to have some assurance that I am not being
served a poisoned binary. If the file is served over HTTPS that helps. If your
website publishes the hash of the binary over an HTTPS connection that helps too.
Your site says to download gpg4win from gpg4win.org which does not have a valid
SSL cert. Your site does not publish a hash for the gpg4win-2.2.1.exe binary.
Please help me make sure that my binary is legit.
PKIX is entirely broken. Even the most expensive SSL certificate does not get
you any assurance. To avoid man-in-the-middle threats, please check the OpenPGP
signature with an existing version of gpg4win or compare the published
SHA-1checksums with those from the announcement mails.
Additionally to T1665 (wk on Jul 03 2014, 11:13 AM / Roundup) (outlining that a trust path to the global SSL companies
is available and thus resolving this):
https://files.gpg4win.org is verified by a certificate that is available over
https://ssl.intevation.de/ this site is "verified" by one of the preinstalled
companies. (You are hopefully aware that you just have to send them some bucks
and some unsigned mails with an @intevation.de address claiming that you are
intevation.de to get such a certificate)
We also bought a certificate for codesigning so that in Windows itself you get
an assurance that one of the >100 Root CA's in their certificate program earned
some money from us ;-)
Please check the openpgp signatures or the checksums in our release
announcements and decide for yourself if you trust us. We can just buy your
trust otherwise.