[archived] Previous, now Deprecated Whonix Windows Installer Testing

gpg4win website nowdays has a valid, CA signed TLS certificate / functional https. Therefore chapter for manual TLS certificate installation remove.d

Is there still any point of downloading SignTools from microsoft.com to use it to verify gpg4win? Connecting to microsoft.com over TLS only vs connecting to gpg4win.org over TLS only seems to be equally dangerous. There seems to be a bootstrapping problem of securely obtaining gpg4win on the Windows platform anyhow.

Or is initially downloading SignTools (which then will be used to verify gpg4win) from microsoft.com more secure because microsoft.com is on the TLS Static Public Key Pinning list?

TLS Public Key Pinning (HPKP) was deprecated but does TLS Static Public Key Pinning still exist?

References for TLS static pinning:

Can anyone find a TLS Static Public Key Pinning list?

However, I doubt it. curl --head https://www.microsoft.com does not even include a HSTS header.

//cc @madaidan

1 Like