sergeevabc
commented
10 months ago Err… @rbsec, @@jtesta, hello?
Closed arcao closed 10 months ago
sergeevabc
commented
10 months ago Err… @rbsec, @@jtesta, hello?
jtesta
commented
10 months ago This would be a task for rbsec to update the release since he's the official maintainer. I just send in patches from time to time.
rbsec
commented
10 months ago There's a new 2.1.3 release that should fix this.
sergeevabc
commented
10 months ago @rbsec, the package includes sslscan.sig file with no instructions in readme.md on how to use it.
rbsec
commented
10 months ago It's a GPG signature - you can verify it against previous releases, and my key is on public keyservers.
sergeevabc
commented
10 months ago @rbsec
$ gpg --verify sslscan.sig sslscan.exe
Good signatureJeez!
Consider adding your PGP fingerprint to the bio, or a link to the public keys server, or even uploading the key to Github. If we're going to play it safe by accompanying programs with signatures, we need to make it easier to verify them.
rbsec
commented
10 months ago My GPG key is available on the Ubuntu keyserver (https://keyserver.ubuntu.com/pks/lookup?search=robin%40rbsec.net&fingerprint=on&op=index) and the OpenPGP keyserver (https://keys.openpgp.org/search?q=robin%40rbsec.net) under my email address.
sergeevabc
commented
10 months ago @rbsec, the trouble is that your e-mail address is not mentioned in sslscan.exe --help or in readme.md, and your Github profile has only @ sign on avatar. So the only meaningful piece of metadata is rbsec. Seriously, try to put yourself in the ordinary user's shoes.
rbsec
commented
10 months ago Well if they've already run sslscan --help then it's far too late to be worrying about checking signatures, because they've already run the untrusted code.
And it's already listed in the changelog, the man page and the git commit history. But I can add it to the readme as well for people who don't bother looking at any of those.
sslscan --versionshows: