I’m glad the installers are digitally signed. That ought to provide a good integrity proof, indeed.
As someone who last seriously used windows when win95 was the latest and greatest, and has been in a linux-only household since about 2005, I’m not particularly aware of how this works from the windows-end-user experience.
Does windows give warnings if the file is not signed, or only if the signature is invalid?
It seems that there is a problem, in that the user in this case had a “scary message”, from her virus scanner, but it did not tell her that the signature was correct, nor did she have information that they were signed.
I think a bit of documentation on the site could have removed some worry for her. I don’t see anything on the website about the installers being signed, so ‘they always have been’ or assumptions about best practice does not provide any pointer for the new user, nor is there any reference to how someone can check the signature / how to spot a genuine one.
Having done 5 or 6 google searches I’ve found out how to check a signature from linux:
-
built-in mono tool ‘chktrust’, but that only tells me that “signature is valid and can be traced back to a trusted root” but gives me no information on who signed it.
-
‘osslsigncode’ (available in ubunbtu repositories) which tells me it was signed by United Bible Societies Association, Swindon. Now that I like! Do windows users have access to this level of information, or has it been decided that people don’t need to know it?