On 11/06/2015 16:47, OpenSSL wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > OpenSSL version 1.0.2b released > =============================== > > OpenSSL - The Open Source toolkit for SSL/TLS > http://www.openssl.org/ > > The OpenSSL project team is pleased to announce the release of > version 1.0.2b of our open source toolkit for SSL/TLS. For details > of changes and known issues see the release notes at: > > http://www.openssl.org/news/openssl-1.0.2-notes.html > > OpenSSL 1.0.2b is available for download via HTTP and FTP from the > following master locations (you can find the various FTP mirrors under > http://www.openssl.org/source/mirror.html): > > * http://www.openssl.org/source/ > * ftp://ftp.openssl.org/source/ > > The distribution file name is: > > o openssl-1.0.2b.tar.gz > Size: 5281009 > MD5 checksum: 7729b259e2dea7d60b32fc3934d6984b > SHA1 checksum: 9006e53ca56a14d041e3875320eedfa63d82aba7 > > The checksums were calculated using the following commands: > > openssl md5 openssl-1.0.2b.tar.gz > openssl sha1 openssl-1.0.2b.tar.gz > > Yours, > > The OpenSSL Project Team. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJVeZNdAAoJENnE0m0OYESRYscIAKrJik5qyPifnVhWRHVTUXot > NYhfl+h+ooHequRyz9ug7Wz3vdUioftuOYlX0eJBBZ+YvskVk27U9tjY+plFnRjq > vpdNKfa6bSL9rjztZObupvbCnhYRdDkcJRqLi8HfPb53UlZS/ALIbpDi1FPqIErs > Bc7D/toD0nDoQUONLVQw/aSZNWWCaACO09326K2xX/jZGEsQbhCWdlkERfO3RzRW > RBN0RnR+k8XBaqy6TRELF1vlYdHe83Dqxg1h3KBTBJ+yOFXvQblPoZO4GnkAyoNA > 8EGhbzgWsjg6OIroUbnbbq50avvya/2eDmY+N3gNg5wOrYBNZlWShy91WGZ4378= > =rcRW > -----END PGP SIGNATURE----- Note: Why are OpenSSL releases still signed only with MD5 and SHA1? Even the gpg signature of the tarball is SHA1-based. Why isn't there also a detached S/MIME / CMS signature for the tarballs, preferably using a code/object signingcertificate from someone like GlobalSign. i.e. Something that can be verified with the command: old-trusted-openssl smime -verify -inform PEM -in \ openssl-1.0.2b.tar.gz.sig -binary -content \ openssl-1.0.2b.tar.gz -out /dev/null -CAfile \ /etc/ssl/certificates/foo.pem (add option "-purpose codesign" once implemented by the users "old-trusted-openssl"). If old-trused-openssl is a recent version, a similar "old-trused-openssl cms" command can also be used, but verify compatibility with old copies should be maintained for a few years (don't prevent upgrading openssl because the users needs to upgrade openssl). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150612/705fd11e/attachment.html>
