You are here

What is the MD5 hash for GPG for Thunderbird Portable 1.4.9?

7 posts / 0 new
Last post
crux
Offline
Last seen: 4 years 1 week ago
Joined: 2008-06-13 18:10
What is the MD5 hash for GPG for Thunderbird Portable 1.4.9?

I apologize if this should go in the Other Apps Support forum.

The one I downloaded had an MD5 hash of: 31a1265e47e8737a1f5a1b8247634c88

This is the one I downloaded:

https://downloads.sourceforge.net/portableapps/GPG_for_Thunderbird_Porta...
GPG for Thunderbird Portable (2008-07-25 20:19)
GPG_for_Thunderbird_Portable_1.4.9.paf.exe 1850552

It would be a bad idea to use GPG without at least some verification.

mstinaff
Offline
Last seen: 14 years 8 months ago
Joined: 2006-10-01 10:58
Straight to the horses mouth

My apologies for not understanding your end goal earlier. The notion of signing hashing or otherwise authenticating the gpg download comes down to a matter of trust. And generally speaking the crowd that uses GnuPG is a little more paranoid security conscious than your average geek.

I provide an md5 hash for GnuPG Portable mostly to verify there were no download errors. I provide an attached sig inside to have something to test a new WinPt Portable, GPA Portable, or GnuPT install against. That and to back up my version with my reputation. But again I am just a middle man. To really verify you should go to the source.

GnuPG SHA-1 hashes
However they only provide hashes for their packaged downloads and not the individual binaries. So you would have to download the GnuPG solution you want, install it, then download the matching GnuPG version directly from the GnuPG website, verify the SHA-1 sum, extract the binaries and use them to overwrite the installed binaries.

I hope that this helps.

Edit
As for getting the MD5 for GnuPG for Thunderbird Portable. I've done some poking around and can't seem to find it anywhere either. The original uploader would be the one to go to I guess. In this case I believe that is Mr Haller

Edit++
And there he is! Thank you!

Key ID: 0xDAE3095F
Fingerprint: 5D98 65D2 1844 21A5 76C1 F0F6 4BE6 D689 DAE3 095F

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 41 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Digitally Signed

It's digitally signed with the Rare Ideas, LLC signature, which is a MUCH better indicator of authenticity and trustworthiness than an MD5 sum. But as some folks may be curious, I added it to the GPG for TB page. And, yes, your MD5 is correct.

Sometimes, the impossible can become possible, if you're awesome!

crux
Offline
Last seen: 4 years 1 week ago
Joined: 2008-06-13 18:10
Thanks!

The thing about digital signatures, you need to check it with software that has not been subverted. Otherwise, the (corrupt) software you downloaded could tell you the signature is valid when it isn't.

Or are you talking about the self-verification in the PAF launcher?

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 41 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Incorrect

I'm talking about "digitally signed" software. Sometimes called Authenticode or similar. All our releases (including the GPG plugin for Thunderbird Portable) are digitally signed. When you download them using a browser that correctly flags the files as coming from the internet (Firefox 3+ or IE), Windows XP/Vista/7 will throw a warning when you try and run them and ask if you're sure and show you that it was digitally signed by "Rare Ideas, LLC". If it was unsigned, you get a red X warning instead of a yellow triangle and the publisher would be listed as Unknown. You can also right-click on a file and select properties and select the Digital Signatures tab to view the signature. These files are signed by us and the signature is verified by an independent, trusted 3rd party.

This is much better than a simple MD5 or self-CRC check in terms of verifying the source of the software.

Sometimes, the impossible can become possible, if you're awesome!

crux
Offline
Last seen: 4 years 1 week ago
Joined: 2008-06-13 18:10
Thanks!

I will use Firefox 3 Portable someday.

John T. Haller
John T. Haller's picture
Offline
Last seen: 2 hours 41 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Two Weeks

Hopefully within two weeks which is when all Firefox 2 support is dropped and no further bug or security fixes will be made.

And you can right-click on it and check it in Windows 2000+ with the Digital Signatures tab. It's built into Windows and means a lot more than a simple file hash posted on a webpage.

Sometimes, the impossible can become possible, if you're awesome!

Log in or register to post comments