[Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG? (original) (raw)

Nathaniel Smith njs at pobox.com
Sat Apr 4 03:16:00 CEST 2015

On Apr 3, 2015 5:50 PM, "Donald Stufft" <donald at stufft.io> wrote:

> On Apr 3, 2015, at 6:38 PM, M.-A. Lemburg <mal at egenix.com> wrote: > > On 04.04.2015 00:14, Steve Dower wrote: >> The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :) >> >> Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless there's a CA involved like there is for Authenticode, there's no existing trust in that key. > > Hashes only provide checks against file corruption (and then > only if you can trust the hash values). GPG provides all the > benefits of public key encryption on arbitrary files (not just > code). > > The main benefit in case of downloadable installers is to > be able to make sure that the files are authentic, meaning that > they were created and signed by the people listed as packagers. > > There is no CA infrastructure involved as for SSL certificates > or Authenticode, but it's easy to get the keys from key servers > given the key signatures available from python.org's download > pages. FTR if we’re relying on people to get the GPG keys from the download pages then there’s no additional benefit over just using a hash published on the same page. In order to get additional benefit we’d need to get Steve’s key signed by enough people to get him into the strong set.

I don't think that's true -- e.g. people who download the key for checking 3.5.0 will still have it when 3.5.1 is released, and notice if something silently changes. In general distributing a key id widely on webpages / mailing lists / using it consistently over multiple releases all increase security, even if they fall short of perfect. Even the web of trust isn't particularly trustworthy, it's just useful because it's harder to attack two targets (the webserver and the WoT) than it is to attack one.

In any case, getting his key into the strong set ought to be trivial given that pycon is next week.

-n -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20150403/7e325dcf/attachment.html>

More information about the Python-Dev mailing list