Is there really no GIMP release signing key and signature file?

Usually the .exe that is provided has a SHA256 hash signed by a release signing key in a signature file so it can be verified. How can GIMP releases be trusted without the ability to verify the download?

It is there on the Download page.

The SHA256 hash sum for gimp-2.10.36-setup-1.exe is: 5dc0efd3c877c6e8fd8af44944d31997875e38b610f95b30445aea3758dbbe90

if it is not signed, it can not be trusted

Yes, plenty for linux but Windows ? How many Window users even check the hash sum I wonder. Does Windows come with PGP/GPG already installed ? Why not bring it up with the Gimp developers.

Reading the download page would help… you have many options, even the options to download from the Microsoft’s store.

1 Like

If the hash can not be verified with a signature, it may have been replaced by an attacker. Best practices are followed for a reason.

Just because most people don’t do something, doesn’t mean they should not be able to. Kleopatra is an easy and free Windows tool, and it would be trivial to provide instructions for verification on the download page. I agree, this topic of having and using a release signing key should be raised with the Gimp developers

If the signature is from some unidentified individual, what good is it? How do you know it hasn’t been also replaced?