Do we need to sign Windows files with GnuPG?
As of Python 3.5 Steve Dower has taken over the Windows builds of Python from Martin van Loewis. He's also taken over for 2.7--though Martin's still doing builds for 3.4.
For both versions, Steve is using all-new tooling for the build process. The output is different, too; he's producing .exe installers instead of .msi installers, and he has snazzy new "web-based" installers where the initial download is small, then it downloads the rest dynamically.
Steve's also changed the authentication process. His new installers rely on a Windows digital signature technology called Authenticode where the signature is built right into the .exe file. Windows platforms will automatically authenticate executables signed with Authenticode, so this is both secure and convenient.
Martin's build process also digitally signed the files he built, but not using Authenticode (or at least I don't think so). Like the Mac and source code releases, his automation used GnuPG to produce separate ".asc" files containing digital signatures. This meant authentication was a manual process.
The Authenticode approach sounds great. But there are advantages to the GnuPG approach too:
- Using GnuPG means we can authenticate the files from any platform, not just Windows. If there were a security breach on the Python content delivery network, any developer could get GnuPG for their platform and authenticate that the installers are unmodified. If we use Authenitcode,
- GnuPG is agnostic about the data it digitally signs. So, for example, Martin's build process digitally signs the Windows help file--the ".chm" file--produced by his build process. The help file Steve builds is currently completely unsigned; Steve says he can try signing it but he's not sure it'll work. Note that .chm files actually /can/ contain live code, so this is at least a plausible vector for attack.
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
//arry/
p.s. And, of course, my thanks to both Steve and Martin for their past and continuing service to the Python community! It's a pleasure working with each of them. (Both of them? I forget how English works.)
On 03.04.2015 11:56, Larry Hastings wrote:
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
Regardless of target platform, I firmly believe we should (continue to) GPG sign all distribution files as well as provide hash files/values for them.
This is very useful to detect corrupted downloads or files which were not created by the original packagers.
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
On 3 April 2015 at 10:56, Larry Hastings <larry@hastings.org> wrote:
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
I don't have a very strong security background, so take my views with a pinch of saly, but I see Authenticode as a way of being sure that what I *run* is "OK". Whereas a GPG signature lets me check that the content of a file is as intended. So there are benefits to both, and I thing we should continue to provide GPG signatures. (Disclaimer: I've never in my life actually *checked* a GPG signature for a file...)
Paul
On Fri, Apr 3, 2015 at 7:25 AM, Paul Moore <p.f.moore@gmail.com> wrote:
On 3 April 2015 at 10:56, Larry Hastings <larry@hastings.org> wrote:
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
I don't have a very strong security background, so take my views with a pinch of saly, but I see Authenticode as a way of being sure that what I *run* is "OK". Whereas a GPG signature lets me check that the content of a file is as intended. So there are benefits to both, and I thing we should continue to provide GPG signatures. (Disclaimer: I've never in my life actually *checked* a GPG signature for a file...)
I haven't been on Windows in a bit, but this is my understanding/expectation as well.
On Apr 03, 2015, at 02:56 AM, Larry Hastings wrote:
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
They're not mutually exclusive, so why not do both?
I think the advantage of being able to verify the files on any platform is useful.
Cheers, -Barry
Larry Hastings wrote:
Steve's also changed the authentication process. His new installers rely on a Windows digital signature technology called Authenticode where the signature is built right into the .exe file. Windows platforms will automatically authenticate executables signed with Authenticode, so this is both secure and convenient.
Martin's build process also digitally signed the files he built, but not using Authenticode (or at least I don't think so). Like the Mac and source code releases, his automation used GnuPG to produce separate ".asc" files containing digital signatures. This meant authentication was a manual process.
Martin previously only signed the installer with Authenticode, and generated a signature with GnuPG for the installer. My change now signs every binary and MSI in the entire installation with Authenticode, and for now I've stopped creating a GPG signature for the installers. I'm still providing sizes and MD5 hashes for the user-visible downloads (except for the last alpha release, thanks Larry for covering for me).
With the installer also being a downloader, there are now actually 30+ files uploaded for each Windows release. Most of these are never seen by users unless they run the installer with /layout (sorry for not having changed this to /download yet... it's not as easily customizable as I'd hoped, but /layout is the standard name for this command), and if they're being downloaded by the installer then both hashes (embedded in the installer) and Authenticode signatures (embedded in each file) are being checked and will be blocked if they don't match. So verifying the EXE installer should always be sufficient to trust the rest of the installable files.
The Authenticode approach sounds great. But there are advantages to the GnuPG approach too:
For reference, the main advantage of Authenticode signing is shown at https://technet.microsoft.com/en-us/library/dd835561(v=ws.10).aspx - about halfway down there are screenshots of the various dialogs that are displayed when you run signed vs. unsigned vs. blocked applications.
It also helps bypass SmartScreen, which will block downloaded files until they've developed a minimum level of trust. Simply having an Authenticode signature on the initial download meets this level.
(The summary of my opinion is that these two checks are sufficient for the initial EXE download, and the embedded hashes and signatures are sufficient for the rest. Having python.exe et al signed is a bonus that we've never done in the past.)
- Using GnuPG means we can authenticate the files from any platform, not just Windows. If there were a security breach on the Python content delivery network, any developer could get GnuPG for their platform and authenticate that the installers are unmodified. If we use Authenitcode,
There are tools out there for validating Authenticode on Linux, though none of them seem to be as complete as on Windows (it really needs the OS certificate store to be completely reliable), so I can certainly see the value in being able to verify these against a signature. My only question is whether/how this is better with GPG compared to say a SHA hash? I don't currently have a GPG key (to my knowledge), so it's not like there's any preexisting trust to build from - or am I misunderstanding how GPG works here?
- GnuPG is agnostic about the data it digitally signs. So, for example, Martin's build process digitally signs the Windows help file--the ".chm" file--produced by his build process. The help file Steve builds is currently completely unsigned; Steve says he can try signing it but he's not sure it'll work. Note that .chm files actually can contain live code, so this is at least a plausible vector for attack.
Authenticode is not supported for CHM files, unfortunately. If this is the only file that we decide needs GPG, I'd vote to stop offering the download apart from the interpreter :) (Among other things, I'm not supposed to use GPG without specific permission from the lawyers at work because of the license...)
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
The later replies seem to suggest that they are general goodness that nobody on Windows will use. If someone convinces me (or steamrolls me, that's fine too) that the goodness of GPG is better than a hash then I'll look into adding it into the process. Otherwise I'll happily add hash generation into the upload process (which I'm going to do anyway for the ones displayed on the download page).
Cheers, Steve
On 03.04.2015 19:35, Steve Dower wrote:
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
The later replies seem to suggest that they are general goodness that nobody on Windows will use. If someone convinces me (or steamrolls me, that's fine too) that the goodness of GPG is better than a hash then I'll look into adding it into the process. Otherwise I'll happily add hash generation into the upload process (which I'm going to do anyway for the ones displayed on the download page).
FWIW: I regularly check the GPG sigs on all important downloaded files, regardless of which platform they target, including the Windows installers for Python or any other Windows installers I use which provide such sigs.
The reason is simple: The signature is a proof of authenticity which is not bound to a particular file format or platform and before running .exes it's good to know that they were built by the right people and not manipulated by trojans, viruses or malicious proxies.
Is that a good enough reason to continue providing the GPG sigs or do you need more proof of goodness ? ;-)
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :)
Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless there's a CA involved like there is for Authenticode, there's no existing trust in that key.
Cheers, Steve
Top-posted from my Windows Phone
From: M.-A. Lemburg<mailto:mal@egenix.com> Sent: 4/3/2015 10:55 To: Steve Dower<mailto:Steve.Dower@microsoft.com>; Larry Hastings<mailto:larry@hastings.org>; Python Dev<mailto:python-dev@python.org>; python-committers<mailto:python-committers@python.org> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG?
On 03.04.2015 19:35, Steve Dower wrote:
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
The later replies seem to suggest that they are general goodness that nobody on Windows will use. If someone convinces me (or steamrolls me, that's fine too) that the goodness of GPG is better than a hash then I'll look into adding it into the process. Otherwise I'll happily add hash generation into the upload process (which I'm going to do anyway for the ones displayed on the download page).
FWIW: I regularly check the GPG sigs on all important downloaded files, regardless of which platform they target, including the Windows installers for Python or any other Windows installers I use which provide such sigs.
The reason is simple: The signature is a proof of authenticity which is not bound to a particular file format or platform and before running .exes it's good to know that they were built by the right people and not manipulated by trojans, viruses or malicious proxies.
Is that a good enough reason to continue providing the GPG sigs or do you need more proof of goodness ? ;-)
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
On 04.04.2015 00:14, Steve Dower wrote:
The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :)
Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless there's a CA involved like there is for Authenticode, there's no existing trust in that key.
Hashes only provide checks against file corruption (and then only if you can trust the hash values). GPG provides all the benefits of public key encryption on arbitrary files (not just code).
The main benefit in case of downloadable installers is to be able to make sure that the files are authentic, meaning that they were created and signed by the people listed as packagers.
There is no CA infrastructure involved as for SSL certificates or Authenticode, but it's easy to get the keys from key servers given the key signatures available from python.org's download pages.
If you want to sign a package file using GPG, you will need to create your own key, upload it to the key servers and then place the signature up on the download page.
Relying only on Authenticode for Windows installers would result in a break in technology w/r to the downloads we make available for Python, since all other files are (usually) GPG signed:
https://www.python.org/ftp/python/3.4.3/
Cheers,
Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
Cheers, Steve
Top-posted from my Windows Phone
From: M.-A. Lemburg<mailto:mal@egenix.com> Sent: 4/3/2015 10:55 To: Steve Dower<mailto:Steve.Dower@microsoft.com>; Larry Hastings<mailto:larry@hastings.org>; Python Dev<mailto:python-dev@python.org>; python-committers<mailto:python-committers@python.org> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG?
On 03.04.2015 19:35, Steve Dower wrote:
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
The later replies seem to suggest that they are general goodness that nobody on Windows will use. If someone convinces me (or steamrolls me, that's fine too) that the goodness of GPG is better than a hash then I'll look into adding it into the process. Otherwise I'll happily add hash generation into the upload process (which I'm going to do anyway for the ones displayed on the download page).
FWIW: I regularly check the GPG sigs on all important downloaded files, regardless of which platform they target, including the Windows installers for Python or any other Windows installers I use which provide such sigs.
The reason is simple: The signature is a proof of authenticity which is not bound to a particular file format or platform and before running .exes it's good to know that they were built by the right people and not manipulated by trojans, viruses or malicious proxies.
Is that a good enough reason to continue providing the GPG sigs or do you need more proof of goodness ? ;-)
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
On Apr 3, 2015, at 6:38 PM, M.-A. Lemburg <mal@egenix.com> wrote:
On 04.04.2015 00:14, Steve Dower wrote:
The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :)
Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless there's a CA involved like there is for Authenticode, there's no existing trust in that key.
Hashes only provide checks against file corruption (and then only if you can trust the hash values). GPG provides all the benefits of public key encryption on arbitrary files (not just code).
The main benefit in case of downloadable installers is to be able to make sure that the files are authentic, meaning that they were created and signed by the people listed as packagers.
There is no CA infrastructure involved as for SSL certificates or Authenticode, but it's easy to get the keys from key servers given the key signatures available from python.org's download pages.
FTR if we’re relying on people to get the GPG keys from the download pages then there’s no additional benefit over just using a hash published on the same page.
In order to get additional benefit we’d need to get Steve’s key signed by enough people to get him into the strong set.
If you want to sign a package file using GPG, you will need to create your own key, upload it to the key servers and then place the signature up on the download page.
Relying only on Authenticode for Windows installers would result in a break in technology w/r to the downloads we make available for Python, since all other files are (usually) GPG signed:
https://www.python.org/ftp/python/3.4.3/
Cheers,
Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
Cheers, Steve
Top-posted from my Windows Phone
From: M.-A. Lemburg<mailto:mal@egenix.com> Sent: 4/3/2015 10:55 To: Steve Dower<mailto:Steve.Dower@microsoft.com>; Larry Hastings<mailto:larry@hastings.org>; Python Dev<mailto:python-dev@python.org>; python-committers<mailto:python-committers@python.org> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG?
On 03.04.2015 19:35, Steve Dower wrote:
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
The later replies seem to suggest that they are general goodness that nobody on Windows will use. If someone convinces me (or steamrolls me, that's fine too) that the goodness of GPG is better than a hash then I'll look into adding it into the process. Otherwise I'll happily add hash generation into the upload process (which I'm going to do anyway for the ones displayed on the download page).
FWIW: I regularly check the GPG sigs on all important downloaded files, regardless of which platform they target, including the Windows installers for Python or any other Windows installers I use which provide such sigs.
The reason is simple: The signature is a proof of authenticity which is not bound to a particular file format or platform and before running .exes it's good to know that they were built by the right people and not manipulated by trojans, viruses or malicious proxies.
Is that a good enough reason to continue providing the GPG sigs or do you need more proof of goodness ? ;-)
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On 04.04.2015 02:49, Donald Stufft wrote:
On Apr 3, 2015, at 6:38 PM, M.-A. Lemburg <mal@egenix.com> wrote:
On 04.04.2015 00:14, Steve Dower wrote:
The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :)
Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless there's a CA involved like there is for Authenticode, there's no existing trust in that key.
Hashes only provide checks against file corruption (and then only if you can trust the hash values). GPG provides all the benefits of public key encryption on arbitrary files (not just code).
The main benefit in case of downloadable installers is to be able to make sure that the files are authentic, meaning that they were created and signed by the people listed as packagers.
There is no CA infrastructure involved as for SSL certificates or Authenticode, but it's easy to get the keys from key servers given the key signatures available from python.org's download pages.
FTR if we’re relying on people to get the GPG keys from the download pages then there’s no additional benefit over just using a hash published on the same page.
Well, it's still better than just the hashes...
In order to get additional benefit we’d need to get Steve’s key signed by enough people to get him into the strong set.
...but having the key signed by fellow core devs will certainly add more goodness :-)
If you want to sign a package file using GPG, you will need to create your own key, upload it to the key servers and then place the signature up on the download page.
Relying only on Authenticode for Windows installers would result in a break in technology w/r to the downloads we make available for Python, since all other files are (usually) GPG signed:
https://www.python.org/ftp/python/3.4.3/
Cheers,
Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
Cheers, Steve
Top-posted from my Windows Phone
From: M.-A. Lemburg<mailto:mal@egenix.com> Sent: 4/3/2015 10:55 To: Steve Dower<mailto:Steve.Dower@microsoft.com>; Larry Hastings<mailto:larry@hastings.org>; Python Dev<mailto:python-dev@python.org>; python-committers<mailto:python-committers@python.org> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG?
On 03.04.2015 19:35, Steve Dower wrote:
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
The later replies seem to suggest that they are general goodness that nobody on Windows will use. If someone convinces me (or steamrolls me, that's fine too) that the goodness of GPG is better than a hash then I'll look into adding it into the process. Otherwise I'll happily add hash generation into the upload process (which I'm going to do anyway for the ones displayed on the download page).
FWIW: I regularly check the GPG sigs on all important downloaded files, regardless of which platform they target, including the Windows installers for Python or any other Windows installers I use which provide such sigs.
The reason is simple: The signature is a proof of authenticity which is not bound to a particular file format or platform and before running .exes it's good to know that they were built by the right people and not manipulated by trojans, viruses or malicious proxies.
Is that a good enough reason to continue providing the GPG sigs or do you need more proof of goodness ? ;-)
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/mal%40egenix.com
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
"Relying only on Authenticode for Windows installers would result in a break in technology w/r to the downloads we make available for Python, since all other files are (usually) GPG signed"
This is the point of this discussion. I'm willing to make such a break because I believe Authenticode is so much more convenient for end users that it isn't worth producing GPG signatures. So far, the responses seem to be:
"I'd use them on Windows" x1 "I'd consider using them on another OS" x2-3 "Please don't change" everyone else
At least that's the impression I'm getting, so I hope that helps clarify why I'm still not convinced it's that critical.
Cheers, Steve
Top-posted from my Windows Phone
From: M.-A. Lemburg<mailto:mal@egenix.com> Sent: 4/3/2015 15:38 To: Steve Dower<mailto:Steve.Dower@microsoft.com>; Larry Hastings<mailto:larry@hastings.org>; Python Dev<mailto:python-dev@python.org>; python-committers<mailto:python-committers@python.org> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG?
On 04.04.2015 00:14, Steve Dower wrote:
The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :)
Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless there's a CA involved like there is for Authenticode, there's no existing trust in that key.
Hashes only provide checks against file corruption (and then only if you can trust the hash values). GPG provides all the benefits of public key encryption on arbitrary files (not just code).
The main benefit in case of downloadable installers is to be able to make sure that the files are authentic, meaning that they were created and signed by the people listed as packagers.
There is no CA infrastructure involved as for SSL certificates or Authenticode, but it's easy to get the keys from key servers given the key signatures available from python.org's download pages.
If you want to sign a package file using GPG, you will need to create your own key, upload it to the key servers and then place the signature up on the download page.
Relying only on Authenticode for Windows installers would result in a break in technology w/r to the downloads we make available for Python, since all other files are (usually) GPG signed:
https://www.python.org/ftp/python/3.4.3/
Cheers,
Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
Cheers, Steve
Top-posted from my Windows Phone
From: M.-A. Lemburg<mailto:mal@egenix.com> Sent: 4/3/2015 10:55 To: Steve Dower<mailto:Steve.Dower@microsoft.com>; Larry Hastings<mailto:larry@hastings.org>; Python Dev<mailto:python-dev@python.org>; python-committers<mailto:python-committers@python.org> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG?
On 03.04.2015 19:35, Steve Dower wrote:
My Windows development days are firmly behind me. So I don't really have an opinion here. So I put it to you, Windows Python developers: do you care about GnuPG signatures on Windows-specific files? Or do you not care?
The later replies seem to suggest that they are general goodness that nobody on Windows will use. If someone convinces me (or steamrolls me, that's fine too) that the goodness of GPG is better than a hash then I'll look into adding it into the process. Otherwise I'll happily add hash generation into the upload process (which I'm going to do anyway for the ones displayed on the download page).
FWIW: I regularly check the GPG sigs on all important downloaded files, regardless of which platform they target, including the Windows installers for Python or any other Windows installers I use which provide such sigs.
The reason is simple: The signature is a proof of authenticity which is not bound to a particular file format or platform and before running .exes it's good to know that they were built by the right people and not manipulated by trojans, viruses or malicious proxies.
Is that a good enough reason to continue providing the GPG sigs or do you need more proof of goodness ? ;-)
-- Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
On 04.04.2015 16:41, Steve Dower wrote:
"Relying only on Authenticode for Windows installers would result in a break in technology w/r to the downloads we make available for Python, since all other files are (usually) GPG signed"
This is the point of this discussion. I'm willing to make such a break because I believe Authenticode is so much more convenient for end users that it isn't worth producing GPG signatures. So far, the responses seem to be:
"I'd use them on Windows" x1 "I'd consider using them on another OS" x2-3 "Please don't change" everyone else
At least that's the impression I'm getting, so I hope that helps clarify why I'm still not convinced it's that critical.
Just to clarify:
I have absolutely nothing against using Authenticode on Windows :-)
I'm only trying to convince you that *additionally* providing GPG sigs for Windows downloads is a good thing and we should not stop doing this, since it makes verification of downloaded files easier. It's not hard to do, can be automated and provides additional security which can be verified on any platform, not only Windows.
Cheers,
Marc-Andre Lemburg eGenix.com
Professional Python Services directly from the Source
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
participants (7)
-
Barry Warsaw -
Brian Curtin -
Donald Stufft -
Larry Hastings -
M.-A. Lemburg -
Paul Moore -
Steve Dower