Yesterday I had to download ActiveMQ for work.
I'm somewhat familiar with verifying the hashes of downloaded files, and have used a few different tools for doing that. The ActiveMQ page indicates that MD5 signatures can be used to verify the downloaded files. That sounded like the hashes that my tool could verify. But nowhere on the page did I see the actual MD5 values that one would compare against.
The ActiveMQ page also indicates that PGP or GPG signatures could be used for verifying the files. Ok... I figured that maybe this was a good reason for me to finally try out PGP and see how it works.
I read about the differences between PGP and GPG, and decided to try GPG. So I went to the GnuPG download page. But found that it only has the source code. Apparently the binary packages are only available on the mirrors. There's no mirror in the U.S. The Canada mirror site wasn't responding. So I looked at a few of the other mirrors.
It seems the latest GnuPG 2.0 version is not available in a Windows version. Why not? I don't know, but after reading a bit, it sounded like the 1.4.* version should suffice for my needs.
Versions 1.4.0 and older are available as zip files, while new versions up to 1.4.9 are exe files. Why no zips for the later versions? I'd prefer not having to install anything... And how would I verify these downloads? Where are the checksums for them?
It was at this point that I decided to forgo verifying the downloaded ActiveMq files.
I had a fuzzy head type head-ache, by the way. Makes it harder to think.
Based on this experience, I'm not surprised that the use of PGP encryption hasn't caught on all that much. It seems you have to be a developer to even figure out how to get it. Heck, the first answer on this page to the question "Where can I find a command-line version of GPG for Windows?" is "You could download it and compile it yourself".
I subsequently found this Gpg4win download page which has a small 4MB version and also lists the SHA1 checksums. Whenever I feel up to it, I may try that one out.
I'm somewhat familiar with verifying the hashes of downloaded files, and have used a few different tools for doing that. The ActiveMQ page indicates that MD5 signatures can be used to verify the downloaded files. That sounded like the hashes that my tool could verify. But nowhere on the page did I see the actual MD5 values that one would compare against.
The ActiveMQ page also indicates that PGP or GPG signatures could be used for verifying the files. Ok... I figured that maybe this was a good reason for me to finally try out PGP and see how it works.
I read about the differences between PGP and GPG, and decided to try GPG. So I went to the GnuPG download page. But found that it only has the source code. Apparently the binary packages are only available on the mirrors. There's no mirror in the U.S. The Canada mirror site wasn't responding. So I looked at a few of the other mirrors.
It seems the latest GnuPG 2.0 version is not available in a Windows version. Why not? I don't know, but after reading a bit, it sounded like the 1.4.* version should suffice for my needs.
Versions 1.4.0 and older are available as zip files, while new versions up to 1.4.9 are exe files. Why no zips for the later versions? I'd prefer not having to install anything... And how would I verify these downloads? Where are the checksums for them?
It was at this point that I decided to forgo verifying the downloaded ActiveMq files.
I had a fuzzy head type head-ache, by the way. Makes it harder to think.
Based on this experience, I'm not surprised that the use of PGP encryption hasn't caught on all that much. It seems you have to be a developer to even figure out how to get it. Heck, the first answer on this page to the question "Where can I find a command-line version of GPG for Windows?" is "You could download it and compile it yourself".
I subsequently found this Gpg4win download page which has a small 4MB version and also lists the SHA1 checksums. Whenever I feel up to it, I may try that one out.