GnuPG/PGP Signatures

[asjones]

I search the Heidi web site but could not find a PGP public key. I thought I had read old copies of eraser were signed.

Is this something that will be done for the final 5.8 or future 5.8 betas?

I am sure as popular as Eraser is there could be "fake" versions.

It just seems wise for Heidi to have a corperate public key.

 

[michael_s]

I, too, would be much more comfortable if a PGP signature file of the latest Eraser installer was available online. Or at a minimum, a SHA1 or MD5 digest of the installer, hosted on a site other than SourceForge. This will greatly hinder a malicious attacker from replacing the Eraser installer, with one that installs a Trojan horse.

Most open source, security-oriented software follows this practice, including GPG and OpenSSH. If Eraser is to be considered serious about security, I think the author should consider following their lead.

Apologies if this is already being done, and I've just overlooked the information.

-Mike

 

[garrett01]

The install is already digitally signed with our own root cert.

Garrett

 

[michael_s]

Hi Garrett,

Are you referring to Authenticode? If so, I don't see a "Digital Signatures" tab when I view the properties of eraser582setup.exe in Windows Explorer.

If you're referring to a PGP/GPG .sig file, where can I download it for version 5.82?

Thank you.

-Mike