[Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG? (original) (raw)
Steve Dower Steve.Dower at microsoft.com
Sun Apr 5 14:07:53 CEST 2015
- Previous message (by thread): [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
- Next message (by thread): [Python-Dev] Socket timeout: reset timeout at each successful syscall?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"One question, if you will - I don't think this was asked so far - is authenticode verifiable from Linux, without Windows? And does it work for users of WINE ?"
I've seen some info suggesting that it's verifiable, but you do need to extract the cert and calculate the hash against less than the signed file. Seemed like Mono had a tool for it, but OpenSSL can handle the cert.
Currently the new installer doesn't run on Wine because of missing APIs (since I want to discuss alternate distribution ideas I haven't treated this as a priority), and I've heard they haven't implemented enough crypto yet to handle it, but that could be outdated.
"GPG sigs will provide protection against replay attacks"
How does this work?
Cheers, Steve
Top-posted from my Windows Phone
From: Robert Collins<mailto:robertc at robertcollins.net> Sent: 4/4/2015 21:59 To: Steve Dower<mailto:Steve.Dower at microsoft.com> Cc: M.-A. Lemburg<mailto:mal at egenix.com>; Larry Hastings<mailto:larry at hastings.org>; Python Dev<mailto:python-dev at python.org>; python-committers<mailto:python-committers at python.org> Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
On 4 April 2015 at 11:14, Steve Dower <Steve.Dower at microsoft.com> wrote:
The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :)
Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless there's a CA involved like there is for Authenticode, there's no existing trust in that key.
GPG sigs will provide protection against replay attacks [unless we're proposing to revoke signatures on old point releases with known security vulnerabilities - something that Window software vendors tend not to do because of the dramatic and immediate effect on the deployed base...]
This is not relevant for things we're hosting on SSL, but is if anyone is mirroring our installers around. They dont' seem to be so perhaps its a bit 'meh'.
OTOH I also think there is value in consistency: signing all our artifacts makes checking back on them later easier, should we need to.
One question, if you will - I don't think this was asked so far - is authenticode verifiable from Linux, without Windows? And does it work for users of WINE ?
-Rob
-- Robert Collins <rbtcollins at hp.com> Distinguished Technologist HP Converged Cloud -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20150405/943b2b01/attachment.html>
- Previous message (by thread): [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
- Next message (by thread): [Python-Dev] Socket timeout: reset timeout at each successful syscall?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]