[python-committers] New Authenticode certificate

M.-A. Lemburg mal at egenix.com
Wed Feb 10 03:40:43 EST 2016


On 09.02.2016 22:40, Steve Dower wrote:
> On 09Feb2016 1030, M.-A. Lemburg wrote:
>> On 09.02.2016 18:41, Jeff Hardy wrote:
>>> On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>>>
>>>> To everyone: We now have a PSF code signing certificate.
>>>>
>>>> I have sent the certificate to Steve for use in the Windows
>>>> installers. If other developers need to create signed
>>>> installers/code for Python, please let me know.
>>>>
>>>
>>> Hi Marc-Andre,
>>> Would it be possible to use it for IronPython as well?
>>
>> I don't know. Steve is using it as Authenticode certificate,
>>
>> [SNIP]
>>
>> It will certainly work for signing executables and msi
>> installers.
>>
>> Perhaps Steve can help with this.
>>
> 
> There are three aspects to this: technical, political and security.
> 
> Technically, yes IronPython could absolutely be signed with the same certificate.
> 
> Politically, it requires the PSF to be willing to put their name to the safety of the signed
> binaries and installers. Essentially, if/when something bad is done with or via something signed by
> the PSF, there is an implied responsibility (no idea how legally enforceable it is). I am not in a
> position to say whether or not this is okay for IronPython.

Regardless of politics (the PSF wants to help where ever we can),
we may only sign code with the PSF code signing certificate which
the PSF has a right to distribute.

I originally was under the impression that we do, but now that I
wanted to check, I'm having trouble finding the copyright owners
of the code.

The license is the Apache license (but without copyright holder
information), and the stdlib is part of the installers (which the
PSF has distribution rights to), but the IronPython runtime itself
only says: "Copyright (c) IronPython Team", so it's not clear what
distribution rights the PSF would have.

> Security-wise, it is very important to minimize the number of people who have access to the
> certificate. Code signed with this certificate is basically given a free pass by most virus scanners
> and security software.

I don't think that's a true statement. Decent virus scanners
will still scan the files for malicious content, even if signed.

It's true that minimizing the possible attack surface is always
preferred, though.

> If we decide to start signing IronPython with the PSF certificate, I'd be most comfortable if I were
> doing the builds to avoid sharing the certificate any further than needed. But that isn't going to
> scale when all the other interpreters want equal treatment.
> 
> I'm not sure exactly what the cost of the certificate is to the PSF, but it may be an expense
> they're willing to take to get separate certs?

We can only get one code signing certificate per organization from
our certificate provider StartSSL.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Feb 10 2016)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...           http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...           http://zope.egenix.com/
________________________________________________________________________
2016-01-19: Released eGenix pyOpenSSL 0.13.13 ... http://egenix.com/go86

::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/
                      http://www.malemburg.com/



More information about the python-committers mailing list