Is there a tool included in a standard Windows installation that I could have people use to verify a detached signature for an arbitrary file?
Providing GPG signatures and including it in the install instructions is doing more harm than good when it's not provided by the OS.
Conversation
Replying to
It's a first-party download via HTTPS and encouraging people to install extra software without a more meaningful way to verify that is only doing harm. GPG is also proving to be the bottleneck for the installation process and I'll probably be switching to signify for Linux users.
1
2
Even for a simple case like this, GPG is opaque and difficult. There's too much that can and does go wrong. I think people would be better off with a tiny public key to save and confirm out-of-band with it explicitly referenced in the verify command. No complex keyring nonsense.
1
1
1
I can sign the signify key with my GPG key. I could keep providing GPG signatures, but I'm very tired of this terrible software. I don't want to deal with it myself. I wish there was a better way to sign Git tags. Maybe I should just generate manifests with hashes and sign those.
1
1
Signed tags are still relying on the security of Git's chained sha1 hashes anyway. It's mitigated a bit by the fact that objects have a size in their header, but it's still pretty terrible. Git also exposes a lot of attack surface. A signed manifest would be simpler and safer.
1
Replying to
Microsoft's official recommendation seems to be "signtool", which is unfortunately not included with Windows, but comes with the Windows SDK.
docs.microsoft.com/en-us/windows/
Windows only includes "certutil", which can calculate plain hashes.
1
I wish S/MIME was in a state that you could use "download this EML file and check the S/MIME signature in your mail client before extracting the "attachment" as a crutch to provide at least a sizeable fraction of users with a GUI without requiring additional software… 😞
