Need hash sums for .EXE if from sourceforge

Kevin Stange kstange at pidgin.im
Fri Jun 1 12:11:04 EDT 2012


On 05/31/2012 06:17 PM, Mark Doliner wrote:
> On Tue, May 8, 2012 at 6:29 PM, BobH <134ra5w02 at sneakemail.com> wrote:
>> since the installer has an "unknown publisher" I'd like to confirm (e.g., via md5
>> or sha1 hash) that the download I am getting from sourceforge hasn't been
>> tampered with. Can someone point me to the hash sums?
> 
> I don't have checksums for the files, sorry.  But you raise a good
> question... maybe we should be signing our Windows builds somehow?
> Maybe we normally do that, but this build was built by a different
> person?  Or maybe we would have to go through some kind of crazy
> certification system in order to get a certificate?
> 
> I could always create gpg signatures of the .exe files the same way we
> do for the tar balls.

The "proper" way to do this on Windows is to use Microsoft's
Authenticode feature and a code signing certificate.  The cert seems to
start at $166 per year with Comodo, and I guess any vendor on this list
would work:

http://social.technet.microsoft.com/wiki/contents/articles/2592.aspx

We'd need to decide if we wanted to commit to the cost of such a key to
do this a way that would be handled automatically in Windows.

Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/pipermail/support/attachments/20120601/37709327/attachment.sig>


More information about the Support mailing list