[Python-Dev] Do we need to sign Windows files with GnuPG?

Larry Hastings larry at hastings.org
Fri Apr 3 11:56:53 CEST 2015 

As of Python 3.5 Steve Dower has taken over the Windows builds of Python 
from Martin van Loewis.  He's also taken over for 2.7--though Martin's 
still doing builds for 3.4.

For both versions, Steve is using all-new tooling for the build 
process.  The output is different, too; he's producing .exe installers 
instead of .msi installers, and he has snazzy new "web-based" installers 
where the initial download is small, then it downloads the rest dynamically.

Steve's also changed the authentication process.  His new installers 
rely on a Windows digital signature technology called Authenticode where 
the signature is built right into the .exe file.  Windows platforms will 
automatically authenticate executables signed with Authenticode, so this 
is both secure and convenient.

Martin's build process also digitally signed the files he built, but not 
using Authenticode (or at least I don't think so).  Like the Mac and 
source code releases, his automation used GnuPG to produce separate 
".asc" files containing digital signatures.  This meant authentication 
was a manual process.

The Authenticode approach sounds great.  But there are advantages to the 
GnuPG approach too:

  * Using GnuPG means we can authenticate the files from any platform,
    not just Windows.  If there were a security breach on the Python
    content delivery network, any developer could get GnuPG for their
    platform and authenticate that the installers are unmodified.  If we
    use Authenitcode,
  * GnuPG is agnostic about the data it digitally signs.  So, for
    example, Martin's build process digitally signs the Windows help
    file--the ".chm" file--produced by his build process.  The help file
    Steve builds is currently completely unsigned; Steve says he can try
    signing it but he's not sure it'll work.  Note that .chm files
    actually /can/ contain live code, so this is at least a plausible
    vector for attack.


My Windows development days are firmly behind me.  So I don't really 
have an opinion here.  So I put it to you, Windows Python developers: do 
you care about GnuPG signatures on Windows-specific files?  Or do you 
not care?


//arry/

p.s. And, of course, my thanks to both Steve and Martin for their past 
and continuing service to the Python community!  It's a pleasure working 
with each of them.  (Both of them?  I forget how English works.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20150403/c4b8d333/attachment-0001.html>

More information about the Python-Dev mailing list