Making sure a program gets to the receiver intact

an169306 at anon.penet.fi an169306 at anon.penet.fi
Wed Dec 21 23:47:49 PST 1994 

How can I insure a program, once put on FTP sites stays untampered with?

I have done the following, but I still find holes:

1:  PGP signed each file with a seperate .sig file.
2:  Made a MD5 list, using 2-3 seperate programs (making sure they agree),
    PGP signing the list, and asking friends to sign the list, leaving
    seperate .sigs in the directory.
3:  Encrypting a copy of the MD5 list with a passphrase (if all keys are
    fragged, then in front of trusted witnesses, I can decrypt the key, 
    show them that the MD5 list is authentic.)
4:  PKZIPPING it using my AV key.  (Yes, I am aware that this is a joke,
    but since I am a registered user, why not use it?)  (Side note, if
    one uses PKZIP, please register it.  I have seen so many unregistered
    copies of this, that it makes my eyes water.)

The holes:

1:  Someone hacking the keyservers, substituting a key for all the people
    who signed, and modifing the archive to show that.
2:  Someone breaking into my apt, sticking a keyboard monitor on, getting
    my passphrase and key.

Most of this is theoritical, as it is hard to hack _all_ keyservers to
nuke my PGP key, then hack AOL, compuserve, and other FTP sites to
modify the binary, but I would like to make _sure_ this program gets
into user's hands without getting modified.  (Not for paranoia reasons,
but just to see how well one can make a package resistant to tampering.)

Pardon the anonymous ID, as my reputation with my REAL user id is not
so great.  (No, I am not Lance, but not that better off due to tons
of dumb mistakes with my regular ID on this list.)

-------------------------------------------------------------------------
To find out more about the anon service, send mail to help at anon.penet.fi.
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to admin at anon.penet.fi.

More information about the cypherpunks-legacy mailing list