Dave Page wrote:
> In order to compromise those file signatures, an attacker would have
> to replace my public key on the pgAdmin SVN repo (from where it
> propagates out to the webservers),
If you believe that breaking into the web server is impossible, or
impossible enough, you don't need PGP signatures, because the file that
is being protected sits on the same or similar web server.
> and somehow replace the copy on
> the keyservers (which you also checked right?),
Uploading a key to a key server is simple enough, and I have no
knowledge that the key that is there now is yours to begin with. And
even if you tell me it is, I don't know that you sent this email.
You see, all an attacker would really have to do is install an HTTP
proxy near the recipient's host that deals out altered files. The
security of the infrastructure on your side is only part of the
generally insecure communications link that PGP wants to protect
against.
Of course this is thoroughly paranoid, and I have no suspicion at all
that pgAdmin downloads are being compromised, but recently I see too
many people who attempt to "secure" their downloads by signing them
with signature-less PGP keys, which gives exactly nil additional
security.
> Compare that to the md5sum's that Greg(?) produces
That is not the standard you want to compare with. But Greg actually
does have signatures on his key.
--
Peter Eisentraut
http://developer.postgresql.org/~petere/