"One question, if you will - I don't think this was asked so far - is authenticode verifiable from Linux, without Windows? And does it work for users of WINE ?"

I've seen some info suggesting that it's verifiable, but you do need to extract the cert and calculate the hash against less than the signed file. Seemed like Mono had a tool for it, but OpenSSL can handle the cert.

Currently the new installer doesn't run on Wine because of missing APIs (since I want to discuss alternate distribution ideas I haven't treated this as a priority), and I've heard they haven't implemented enough crypto yet to handle it, but that could be outdated.

"GPG sigs will provide protection against replay attacks"

How does this work?

Cheers, Steve

Top-posted from my Windows Phone

From: Robert Collins<mailto:robertc@robertcollins.net> Sent: ‎4/‎4/‎2015 21:59 To: Steve Dower<mailto:Steve.Dower@microsoft.com> Cc: M.-A. Lemburg<mailto:mal@egenix.com>; Larry Hastings<mailto:larry@hastings.org>; Python Dev<mailto:python-dev@python.org>; python-committers<mailto:python-committers@python.org> Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

On 4 April 2015 at 11:14, Steve Dower <Steve.Dower@microsoft.com> wrote:

The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :)

Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless there's a CA involved like there is for Authenticode, there's no existing trust in that key.

GPG sigs will provide protection against replay attacks [unless we're proposing to revoke signatures on old point releases with known security vulnerabilities - something that Window software vendors tend not to do because of the dramatic and immediate effect on the deployed base...]

This is not relevant for things we're hosting on SSL, but is if anyone is mirroring our installers around. They dont' seem to be so perhaps its a bit 'meh'.

OTOH I also think there is value in consistency: signing all our artifacts makes checking back on them later easier, should we need to.

One question, if you will - I don't think this was asked so far - is authenticode verifiable from Linux, without Windows? And does it work for users of WINE ?

-Rob

-- Robert Collins <rbtcollins@hp.com> Distinguished Technologist HP Converged Cloud