[Geany-Users] GPG Signature for Windows Binaries

Mon Dec 17 23:31:38 UTC 2018

Hi,

OK, I added a GPG signature on https://www.geany.org/Download/Releases.

Just note, that it is signed with my key which is a different key used
for signing the source tarballs.

Regards,
Enrico

On 12/17/18 3:48 PM, dany111 at email.it wrote:
> Hi Enrico,
> I understand that the installer contains more binaries which are not signed by you, but I think that a GPG-signed .exe would be more trustable than a md5-certificated .exe. I think it would be an improvement simple to add.
> 
> Best regards,
> Daniel
> 
> ----- Original Message -----
> Hi <whoever you are>,
> 
> On 12/16/18 10:29 PM, dany111 at email.it wrote:
>> Given that you already sign the source packages, could you sign the Windows Installer too?
> 
> I could.
> The installer as well as all binaries created from the Geany sources
> itself (that is geany.exe, libgeany.dll and the plugin DLLs) are signed
> with a SSL certificate from cacert.org.
> You can check these signatures on Windows in the file properties dialog
> on the "Digital Signatures" tab.
> 
> Usually you get a verification failure because Windows doesn't know the
> CA the certificate is signed with (cacert.org). But this is a problem of
> Windows, not of Geany.
> You can download the root certificate of the cacert.org CA on
> http://www.cacert.org/index.php?id=3.
> 
> The installer contains more binaries which are not signed by us as they
> are not created by us but taken from the MSYS2 project. Detailed
> information about the included runtime libraries are where they were
> downloaded from can be found in the installation directory in the file
> called "ReadMe.Dependencies.Geany.txt".
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.geany.org/pipermail/users/attachments/20181218/ccef75d2/attachment-0001.sig>