PGP signature for application #55
Comments
|
If it helps, the MD5/SHA1 checksums for the current distribution files are available here: |
|
Hi Phil, Thanks for getting back to me so quickly. Checksums are brilliant for error detection but less good for security. If the site was compromised then as well as switching the application file, an attacker would also alter the checksum values so that they matched. (One of) The good thing about PGP is that if you have signed something then it is impossible to repudiate that it was signed by anyone other than your private key. If you keep your private key on a fairly secure offline machine then the risk of compromise is pretty low. |
|
Thanks for the explanation. I did a quick bit of research. It looks simple enough to create a detached signature with gpg. I'll consider adding this to the release scripts.
|
|
Cheers Phil 👍 :) . I'm on Mac and I use GPG Keychain which is super easy to use, and I would highly recommend. |
|
I'll keep this open as a reminder until I get a chance to spend a bit of time on this. |
Thank you Phil, and to all contributors, for providing and maintaining this incredibly useful tool!
My primary use of Exiftool is to strip out metadata of files that I will be putting online. Given how brilliantly your tool does this, I'm sure there must be other people who do the same!
I was just wondering whether you would be able to provide a pgp signature of the application for the security/privacy minded user?
Thanks Again! 👍
The text was updated successfully, but these errors were encountered: