Need hash sums for .EXE if from sourceforge
134ra5w02 at sneakemail.com
Fri Jun 1 10:23:51 EDT 2012
>> since the installer has an "unknown publisher" I'd like to confirm (e.g., via md5
>> or sha1 hash) that the download I am getting from sourceforge hasn't been
>> tampered with. Can someone point me to the hash sums?
>I don't have checksums for the files, sorry. But you raise a good
>question... maybe we should be signing our Windows builds somehow?
>Maybe we normally do that, but this build was built by a different
>person? Or maybe we would have to go through some kind of crazy
>certification system in order to get a certificate?
>I could always create gpg signatures of the .exe files the same way we
>do for the tar balls.
Unfortunately this won't help many Windows users as most won't have ways of verifying the signature.
Windows comes with a utility for computing MD5 and SHA1 checksums of files, so why not simply dedicate a page on pidgin.im to enumerate such sums of your releases? Then those who are concerned can verify their sourceforge download.
(See keepass.info for a product site that does this)
More information about the Support