[Python-Dev] Do we need to sign Windows files with GnuPG? (original) (raw)
Larry Hastings larry at hastings.org
Fri Apr 3 11:56:53 CEST 2015
- Previous message (by thread): [Python-Dev] Installing Python from the source code on Windows
- Next message (by thread): [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
As of Python 3.5 Steve Dower has taken over the Windows builds of Python from Martin van Loewis. He's also taken over for 2.7--though Martin's still doing builds for 3.4.
For both versions, Steve is using all-new tooling for the build process. The output is different, too; he's producing .exe installers instead of .msi installers, and he has snazzy new "web-based" installers where the initial download is small, then it downloads the rest dynamically.
Steve's also changed the authentication process. His new installers rely on a Windows digital signature technology called Authenticode where the signature is built right into the .exe file. Windows platforms will automatically authenticate executables signed with Authenticode, so this is both secure and convenient.
Martin's build process also digitally signed the files he built, but not using Authenticode (or at least I don't think so). Like the Mac and source code releases, his automation used GnuPG to produce separate ".asc" files containing digital signatures. This meant authentication was a manual process.
The Authenticode approach sounds great. But there are advantages to the GnuPG approach too:
- Using GnuPG means we can authenticate the files from any platform, not just Windows. If there were a security breach on the Python content delivery network, any developer could get GnuPG for their platform and authenticate that the installers are unmodified. If we use Authenitcode,
- GnuPG is agnostic about the data it digitally signs. So, for example, Martin's build process digitally signs the Windows help file--the ".chm" file--produced by his build process. The help file Steve builds is currently completely unsigned; Steve says he can try signing it but he's not sure it'll work. Note that .chm files actually /can/ contain live code, so this is at least a plausible vector for attack.
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
//arry/
p.s. And, of course, my thanks to both Steve and Martin for their past and continuing service to the Python community! It's a pleasure working with each of them. (Both of them? I forget how English works.) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20150403/c4b8d333/attachment-0001.html>
- Previous message (by thread): [Python-Dev] Installing Python from the source code on Windows
- Next message (by thread): [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]