<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1256">
<meta content="text/html; charset=windows-1256">
<meta content="text/html; charset=utf-8">
</head>
<body>
<div>
<div style="font-family:Calibri,sans-serif; font-size:11pt">Small clarification: there certificates *are* the same format as for SSL, and OpenSSL it's able to validate them in the same way as well as generate them (but not extract embedded ones, AFAICT). But
generally SSL certificates are not marked as suitable for code signing so you need to buy a separate one.<br>
<br>
Both Martin and I have the PSF's code signing cert private key, which is how we can sign with the "Python Software Foundation" name. The public key is embedded into every signed file, just like an SSL cert is attached to a site or an S/MIME cert is embedded
in a signed email.<br>
<br>
Cheers,<br>
Steve<br>
<br>
Top-posted from my Windows Phone</div>
</div>
<div dir="ltr">
<hr>
<span style="font-family:Calibri,sans-serif; font-size:11pt; font-weight:bold">From:
</span><span style="font-family:Calibri,sans-serif; font-size:11pt"><a href="mailto:Steve.Dower@microsoft.com">Steve Dower</a></span><br>
<span style="font-family:Calibri,sans-serif; font-size:11pt; font-weight:bold">Sent:
</span><span style="font-family:Calibri,sans-serif; font-size:11pt">ý4/ý4/ý2015 7:25</span><br>
<span style="font-family:Calibri,sans-serif; font-size:11pt; font-weight:bold">To:
</span><span style="font-family:Calibri,sans-serif; font-size:11pt"><a href="mailto:wes.turner@gmail.com">Wes Turner</a>;
<a href="mailto:mal@egenix.com">M. -A. Lemburg</a></span><br>
<span style="font-family:Calibri,sans-serif; font-size:11pt; font-weight:bold">Cc:
</span><span style="font-family:Calibri,sans-serif; font-size:11pt"><a href="mailto:python-committers@python.org">python-committers</a>;
<a href="mailto:python-dev@python.org">Python-Dev</a></span><br>
<span style="font-family:Calibri,sans-serif; font-size:11pt; font-weight:bold">Subject:
</span><span style="font-family:Calibri,sans-serif; font-size:11pt">Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG?</span><br>
<br>
</div>
<div>
<div>
<div style="font-family:Calibri,sans-serif; font-size:11pt">"Authenticode does not have a PKI"<br>
<br>
If you got that from this discussion, I need everyone to at least skim read this: https://msdn.microsoft.com/en-us/library/ie/ms537361(v=vs.85).aspx
<br>
<br>
Authenticode uses the same certificate infrastructure as SSL (note: not the same certificates). As I see it, anyone running on Windows has access to verification that is at least as good as GPG, and the only people who would benefit from GPG sigs are those
checking Windows files on another OS or those with an existing GPG workflow on Windows (before this thread, I knew nobody who used GPG on Windows for anything, so forgive me for thinking this is very rare).<br>
<br>
Cheers,<br>
Steve<br>
<br>
Top-posted from my Windows Phone</div>
</div>
<div dir="ltr">
<hr>
<span style="font-family:Calibri,sans-serif; font-size:11pt; font-weight:bold">From:
</span><span style="font-family:Calibri,sans-serif; font-size:11pt"><a href="mailto:wes.turner@gmail.com">Wes Turner</a></span><br>
<span style="font-family:Calibri,sans-serif; font-size:11pt; font-weight:bold">Sent:
</span><span style="font-family:Calibri,sans-serif; font-size:11pt">ý4/ý4/ý2015 6:42</span><br>
<span style="font-family:Calibri,sans-serif; font-size:11pt; font-weight:bold">To:
</span><span style="font-family:Calibri,sans-serif; font-size:11pt"><a href="mailto:mal@egenix.com">M. -A. Lemburg</a></span><br>
<span style="font-family:Calibri,sans-serif; font-size:11pt; font-weight:bold">Cc:
</span><span style="font-family:Calibri,sans-serif; font-size:11pt"><a href="mailto:python-dev@python.org">Python-Dev</a>;
<a href="mailto:python-committers@python.org">python-committers</a>; <a href="mailto:larry@hastings.org">
Larry Hastings</a>; <a href="mailto:Steve.Dower@microsoft.com">Steve Dower</a></span><br>
<span style="font-family:Calibri,sans-serif; font-size:11pt; font-weight:bold">Subject:
</span><span style="font-family:Calibri,sans-serif; font-size:11pt">Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?</span><br>
<br>
</div>
<div>
<p dir="ltr">So, AFAIU from this discussion:</p>
<p dir="ltr">* Authenticode does not have a PKI<br>
* GPG does have PKI<br>
* ASC signatures are signed checksums</p>
<p dir="ltr">As far as downstream packaging on Windows (people who should/could be subscribed to release ANNs):</p>
<p dir="ltr">For Choclatey NuGet:</p>
<p dir="ltr">* <a href="https://chocolatey.org/packages/python">https://chocolatey.org/packages/python</a><br>
* <a href="https://chocolatey.org/packages/python.x86">https://chocolatey.org/packages/python.x86</a><br>
* <a href="https://chocolatey.org/packages/python2">https://chocolatey.org/packages/python2</a><br>
* <a href="https://chocolatey.org/packages/python-x86_32">https://chocolatey.org/packages/python-x86_32</a><br>
* <a href="https://chocolatey.org/packages/python3">https://chocolatey.org/packages/python3</a></p>
<p dir="ltr">Python(x,y):</p>
<p dir="ltr">* <a href="https://code.google.com/p/pythonxy/">https://code.google.com/p/pythonxy/</a></p>
<p dir="ltr">For Anaconda (the MS Azure chosen python distribution):</p>
<p dir="ltr">* <a href="http://docs.continuum.io/anaconda/install.html#windows-install">
http://docs.continuum.io/anaconda/install.html#windows-install</a></p>
<p dir="ltr">...</p>
<p dir="ltr">These should/could/are checking GPG signatures for Windows packages downstream.</p>
<p dir="ltr"><a href="http://www.scipy.org/install.html">http://www.scipy.org/install.html</a></p>
<div class="gmail_quote">On Apr 3, 2015 5:38 PM, "M.-A. Lemburg" <<a href="mailto:mal@egenix.com">mal@egenix.com</a>> wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
On 04.04.2015 00:14, Steve Dower wrote:<br>
> The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :)<br>
><br>
> Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless
there's a CA involved like there is for Authenticode, there's no existing trust in that key.<br>
<br>
Hashes only provide checks against file corruption (and then<br>
only if you can trust the hash values). GPG provides all the<br>
benefits of public key encryption on arbitrary files (not just<br>
code).<br>
<br>
The main benefit in case of downloadable installers is to<br>
be able to make sure that the files are authentic, meaning that<br>
they were created and signed by the people listed as packagers.<br>
<br>
There is no CA infrastructure involved as for SSL certificates<br>
or Authenticode, but it's easy to get the keys from key servers<br>
given the key signatures available from <a href="http://python.org" target="_blank">
python.org</a>'s download<br>
pages.<br>
<br>
If you want to sign a package file using GPG, you will need<br>
to create your own key, upload it to the key servers and then<br>
place the signature up on the download page.<br>
<br>
Relying only on Authenticode for Windows installers would<br>
result in a break in technology w/r to the downloads we<br>
make available for Python, since all other files are (usually)<br>
GPG signed:<br>
<br>
<a href="https://www.python.org/ftp/python/3.4.3/" target="_blank">https://www.python.org/ftp/python/3.4.3/</a><br>
<br>
Cheers,<br>
--<br>
Marc-Andre Lemburg<br>
eGenix.com<br>
<br>
Professional Python Services directly from the Source<br>
>>> Python/Zope Consulting and Support ... <a href="http://www.egenix.com/" target="_blank">
http://www.egenix.com/</a><br>
>>> mxODBC.Zope.Database.Adapter ... <a href="http://zope.egenix.com/" target="_blank">http://zope.egenix.com/</a><br>
>>> mxODBC, mxDateTime, mxTextTools ... <a href="http://python.egenix.com/" target="_blank">
http://python.egenix.com/</a><br>
________________________________________________________________________<br>
<br>
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::<br>
<br>
<br>
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48<br>
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg<br>
Registered at Amtsgericht Duesseldorf: HRB 46611<br>
<a href="http://www.egenix.com/company/contact/" target="_blank">http://www.egenix.com/company/contact/</a><br>
<br>
<br>
> Cheers,<br>
> Steve<br>
><br>
> Top-posted from my Windows Phone<br>
> ________________________________<br>
> From: M.-A. Lemburg<mailto:<a href="mailto:mal@egenix.com">mal@egenix.com</a>><br>
> Sent: ý4/ý3/ý2015 10:55<br>
> To: Steve Dower<mailto:<a href="mailto:Steve.Dower@microsoft.com">Steve.Dower@microsoft.com</a>>; Larry Hastings<mailto:<a href="mailto:larry@hastings.org">larry@hastings.org</a>>; Python Dev<mailto:<a href="mailto:python-dev@python.org">python-dev@python.org</a>>;
python-committers<mailto:<a href="mailto:python-committers@python.org">python-committers@python.org</a>><br>
> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG?<br>
><br>
> On 03.04.2015 19:35, Steve Dower wrote:<br>
>>> My Windows development days are firmly behind me. So I don't really have an<br>
>>> opinion here. So I put it to you, Windows Python developers: do you care about<br>
>>> GnuPG signatures on Windows-specific files? Or do you not care?<br>
>><br>
>> The later replies seem to suggest that they are general goodness that nobody on Windows will use. If someone convinces me (or steamrolls me, that's fine too) that the goodness of GPG is better than a hash then I'll look into adding it into the process. Otherwise
I'll happily add hash generation into the upload process (which I'm going to do anyway for the ones displayed on the download page).<br>
><br>
> FWIW: I regularly check the GPG sigs on all important downloaded<br>
> files, regardless of which platform they target, including the<br>
> Windows installers for Python or any other Windows installers<br>
> I use which provide such sigs.<br>
><br>
> The reason is simple:<br>
> The signature is a proof of authenticity which is not bound to<br>
> a particular file format or platform and before running .exes<br>
> it's good to know that they were built by the right people and<br>
> not manipulated by trojans, viruses or malicious proxies.<br>
><br>
> Is that a good enough reason to continue providing the GPG<br>
> sigs or do you need more proof of goodness ? ;-)<br>
><br>
> --<br>
> Marc-Andre Lemburg<br>
> eGenix.com<br>
><br>
> Professional Python Services directly from the Source<br>
>>>> Python/Zope Consulting and Support ... <a href="http://www.egenix.com/" target="_blank">
http://www.egenix.com/</a><br>
>>>> mxODBC.Zope.Database.Adapter ... <a href="http://zope.egenix.com/" target="_blank">http://zope.egenix.com/</a><br>
>>>> mxODBC, mxDateTime, mxTextTools ... <a href="http://python.egenix.com/" target="_blank">
http://python.egenix.com/</a><br>
> ________________________________________________________________________<br>
><br>
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::<br>
><br>
><br>
> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48<br>
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg<br>
> Registered at Amtsgericht Duesseldorf: HRB 46611<br>
> <a href="http://www.egenix.com/company/contact/" target="_blank">
http://www.egenix.com/company/contact/</a><br>
><br>
<br>
_______________________________________________<br>
Python-Dev mailing list<br>
<a href="mailto:Python-Dev@python.org">Python-Dev@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/python-dev" target="_blank">https://mail.python.org/mailman/listinfo/python-dev</a><br>
Unsubscribe: <a href="https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com" target="_blank">
https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com</a><br>
</blockquote>
</div>
</div>
</div>
</body>
</html>