[Pidgin] Are the packages signed modified

Pidgin trac at pidgin.im
Thu Sep 20 23:53:49 EDT 2012


Page "Are the packages signed" was changed by datallah
Diff URL: <https://developer.pidgin.im/wiki/Are%20the%20packages%20signed?action=diff&version=5>
Revision 5
Comment: Additional tweaks and grammatical improvements
Changes:
-------8<------8<------8<------8<------8<------8<------8<------8<--------
Index: Are the packages signed
=========================================================================
--- Are the packages signed (version: 4)
+++ Are the packages signed (version: 5)
@@ -1,11 +1,14 @@
 == What is a signature and why should I check it? ==
-When you download a file from the internet, you don't have a good way of knowing if it may have been tampered with.  It's not beyond the realm of possibility that someone could release a patched version of pidgin that transparently captured your passwords and uploaded them to some server.
 
-This is where signatures come in - file signatures are very similar in concept to the idea behind signing both the back of your credit card, and a credit card receipt.  The signature is a verification that the file came from who it was expected to come from.
+The fact that you're using pidgin means that you have some level of trust in the authors, but It's not beyond the realm of possibility that someone else could make an "evil" patched version of pidgin which would steal your sensitive data without your knowledge.
 
-You probably have noticed that vendors frequently don't bother to compare the signature on the receipt to the signature on the back of the card, which makes it so that anyone could have been using the credit card (let's pretend that the signature on a credit card slip isn't trivially easy to forge).  Similarly, if you don't verify the signature on a file, even if the file is signed, you don't have any confidence that it came from where it was expected to come from.
+When you download a file from the internet, unless you take additional steps, you don't have a good way of knowing if the file may have been tampered with.  If you were to somehow end up with the "evil" version instead of the official release, how would you know the difference?
 
-Due to the nature of how signing works, an additional benefit is that if you verify the signature, you can be confident that nothing got corrupted during the download process - the file you have is exactly as it was when it was signed.
+This is where signatures come in - file signatures are very similar in principle to the idea behind signing both the back of your credit card, and a credit card receipt (pretending that the signature on a credit card receipt isn't trivially easy to forge for the purpose of this example).  The signature can be used to verify that the file came from whom it was expected to come.
+
+You probably have noticed that vendors frequently don't bother to compare the signature on the credit card receipt to the signature on the back of the credit card.  When this happens, the vendor can't be confident that the person using the card is actually the card's owner.  Similarly, if a file isn't signed, or you don't verify the signature on a signed file,  you can't be sure that it came from where it was expected to come from.
+
+Due to the nature of how signing works, an additional benefit is that when you verify the signature, you can be confident that nothing got corrupted during the download process - the file you verified is exactly as it was when it was signed.
 
 == Source Tarballs ==
 The source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are signed with [http://www.gnupg.org/ GPG] by one of the following people:
@@ -31,6 +34,8 @@
 As of Pidgin 2.10.7, the Windows installers are signed using the [http://msdn.microsoft.com/en-us/library/ms537361(v=vs.85).aspx Microsoft Authenticode] signing mechanism by Daniel Atallah using a key with a thumbprint of `C5476901C3C63FABF54CEBA9E3F887932A9579B5`.
 
 The signature can be verified most easily by using Windows Explorer to look at the Properties of the installer executable.
-In the "Digital Signatures" tab, you can look at the Details of the signature, "View Certificate", and compare the (case-insensitive, whitespace-insensitive) "Thumbprint" value in the "Details" tab to the value listed above.[[Image(windows_cert_verify_thumbprint.jpg)]]
+In the "Digital Signatures" tab, you can look at the Details of the signature, "View Certificate", and compare the (case-insensitive, whitespace-insensitive) "Thumbprint" value in the "Details" tab to the value listed above.
+
+[[Image(windows_cert_verify_thumbprint.jpg)]]
 
 Alternatively, the signature can be verified using Microsoft's `signtool.exe` utility (which, unfortunately, in order to obtain, requires that you install the at least parts of Microsoft Platform SDK).
-------8<------8<------8<------8<------8<------8<------8<------8<--------

--
Page URL: <https://developer.pidgin.im/wiki/Are%20the%20packages%20signed>
Pidgin <http://pidgin.im>
Pidgin

This is an automated message. Someone added your email address to be
notified of changes on 'Are the packages signed' page.
If it was not you, please report to datallah at pidgin.im.


More information about the Wikiedit mailing list