How can I insure a program, once put on FTP sites stays untampered with? I have done the following, but I still find holes: 1: PGP signed each file with a seperate .sig file. 2: Made a MD5 list, using 2-3 seperate programs (making sure they agree), PGP signing the list, and asking friends to sign the list, leaving seperate .sigs in the directory. 3: Encrypting a copy of the MD5 list with a passphrase (if all keys are fragged, then in front of trusted witnesses, I can decrypt the key, show them that the MD5 list is authentic.) 4: PKZIPPING it using my AV key. (Yes, I am aware that this is a joke, but since I am a registered user, why not use it?) (Side note, if one uses PKZIP, please register it. I have seen so many unregistered copies of this, that it makes my eyes water.) The holes: 1: Someone hacking the keyservers, substituting a key for all the people who signed, and modifing the archive to show that. 2: Someone breaking into my apt, sticking a keyboard monitor on, getting my passphrase and key. Most of this is theoritical, as it is hard to hack _all_ keyservers to nuke my PGP key, then hack AOL, compuserve, and other FTP sites to modify the binary, but I would like to make _sure_ this program gets into user's hands without getting modified. (Not for paranoia reasons, but just to see how well one can make a package resistant to tampering.) Pardon the anonymous ID, as my reputation with my REAL user id is not so great. (No, I am not Lance, but not that better off due to tons of dumb mistakes with my regular ID on this list.) ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi.