[Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG? (original) (raw)

Steve Dower Steve.Dower at microsoft.com
Sun Apr 5 03:07:10 CEST 2015

There's no problem, per se, but initially it was less trouble to use the trusted PSF certificate and native support than to add an extra step using a program I don't already use and trust, am restricted in use by my employer (because of the license and the fact there are alternatives), and developing the trust in a brand new certificate.

Eventually the people saying "do it" will win through sheer persistence, since I'll get sick of trying to get a more detailed response and just concede. Not sure if that's how we want to be running the project though...

Top-posted from my Windows Phone

From: Barry Warsaw<mailto:barry at python.org> Sent: ‎4/‎4/‎2015 9:11 To: python-dev at python.org<mailto:python-dev at python.org> Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

On Apr 04, 2015, at 02:41 PM, Steve Dower wrote:

"Relying only on Authenticode for Windows installers would result in a break in technology w/r to the downloads we make available for Python, since all other files are (usually) GPG signed"

It's the "only" part I have a question about.

Does the use of Authenticode preclude detached GPG signatures of the exe file? I can't see how it would, but maybe there's something (well, a lot of somethings ;) I don't know about Windows.

If not, then what's the problem with also providing a GPG signature?

Cheers, -Barry

Python-Dev mailing list Python-Dev at python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/steve.dower%40microsoft.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20150405/bd8278b7/attachment-0001.html>

More information about the Python-Dev mailing list