Need hash sums for .EXE if from sourceforge

BobH 134ra5w02 at sneakemail.com
Fri Jun 1 10:23:51 EDT 2012


>> since the installer has an "unknown publisher" I'd like to confirm (e.g., via md5
>> or sha1 hash) that the download I am getting from sourceforge hasn't been
>> tampered with. Can someone point me to the hash sums?
>
>I don't have checksums for the files, sorry.  But you raise a good
>question... maybe we should be signing our Windows builds somehow?
>Maybe we normally do that, but this build was built by a different
>person?  Or maybe we would have to go through some kind of crazy
>certification system in order to get a certificate?
>
>I could always create gpg signatures of the .exe files the same way we
>do for the tar balls.

Unfortunately this won't help many Windows users as most won't have ways of verifying the signature. 

Windows comes with a utility for computing MD5 and SHA1 checksums of files, so why not simply dedicate a page on pidgin.im to enumerate such sums of your releases? Then those who are concerned can verify their sourceforge download. 

(See keepass.info for a product site that does this)



More information about the Support mailing list