Discussion:
[privoxy-devel] [privoxy-users] 3.0.23 Fake or not?
Lee
2015-01-25 17:58:21 UTC
Permalink
http://sourceforge.net/projects/ijbswa/files/Win32/3.0.23%20%28stable%29/privoxy-3.0.23.zip/download
Is this version, 3.0.23, is legit?
Anyone have any good doc links to how to establish/verify PGP/GPG
signatures _without_ going to a key signing party? I'm thinking it
would be nice if the Privoxy documentation had at least a reference to
how to verify the software.
Did you check the OpenPGP signature?
gpg: assuming signed data in 'privoxy-3.0.23.zip'
gpg: Signature made Sun Jan 25 01:21:05 2015 CET using RSA key ID 1EEA20AA
[... warning removed ...]
Primary key fingerprint: F070 FC80 7563 38C3 B527 7AF5 E79B 774B 1EEA 20AA
The signature files are usually available in the same directory as the
http://sourceforge.net/projects/ijbswa/files/Win32/3.0.23%20%28stable%29/
Security is not a priority for Sourceforge, so this is unfortunately
not obvious from the project page.
Another possibility is signing up for the privoxy developers mailing
list so one will know when a new version is due to be released..
I already used it after I notice this. Am I infected?
If you frequently install binaries without checking signatures,
there's a fair chance that your system has been already infected,
probably not through a Privoxy release, though.
The fact;
1. There is no 3.0.23 in /source.
2. There is no 3.0.23 in other OSes.
We are currently preparing the 3.0.23 release.
In theory Sourceforge allows to "hide" uploads until the announcement is
out,
but like pretty much anything else related to Sourceforge, this does not
work
reliably and frequently files can be downloaded before they are
"officially"
released.
I thought that was a "feature" :)
This does not affect the 3.0.23 source tarball because it's created and
signed
by me and Sourceforge currently doesn't let me to upload stuff to the
project
page.
I uploaded it for you, but left the 3.0.23 folder marked as "hidden".
Want it unhidden?

Lee
Fabian Keil
2015-01-25 19:32:52 UTC
Permalink
Post by Lee
This does not affect the 3.0.23 source tarball because it's created and
signed
by me and Sourceforge currently doesn't let me to upload stuff to the
project
page.
I uploaded it for you, but left the 3.0.23 folder marked as "hidden".
Want it unhidden?
Yes, please.

Fabian
Fabian Keil
2015-01-26 12:01:49 UTC
Permalink
Post by Lee
http://sourceforge.net/projects/ijbswa/files/Win32/3.0.23%20%28stable%29/privoxy-3.0.23.zip/download
Is this version, 3.0.23, is legit?
Anyone have any good doc links to how to establish/verify PGP/GPG
signatures _without_ going to a key signing party? I'm thinking it
would be nice if the Privoxy documentation had at least a reference to
how to verify the software.
The Tor project has a "How to verify signatures for packages" page:
https://www.torproject.org/docs/verifying-signatures.html.en

I doubt that many users read, understand and follow the instructions,
though. For someone who has never heard of OpenPGP and the concepts
involved before, the instructions are rather complicated.

I agree that having such instructions anyway would be a good idea, though.

Fabian

Loading...