[Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Steve Dower Steve.Dower at microsoft.com
Sun Apr 5 14:07:53 CEST 2015 

"One question, if you will - I don't think this was asked so far - is
authenticode verifiable from Linux, without Windows? And does it work
for users of WINE ?"

I've seen some info suggesting that it's verifiable, but you do need to extract the cert and calculate the hash against less than the signed file. Seemed like Mono had a tool for it, but OpenSSL can handle the cert.

Currently the new installer doesn't run on Wine because of missing APIs (since I want to discuss alternate distribution ideas I haven't treated this as a priority), and I've heard they haven't implemented enough crypto yet to handle it, but that could be outdated.

"GPG sigs will provide protection against replay attacks"

How does this work?

Cheers,
Steve

Top-posted from my Windows Phone
________________________________
From: Robert Collins<mailto:robertc at robertcollins.net>
Sent: ‎4/‎4/‎2015 21:59
To: Steve Dower<mailto:Steve.Dower at microsoft.com>
Cc: M.-A. Lemburg<mailto:mal at egenix.com>; Larry Hastings<mailto:larry at hastings.org>; Python Dev<mailto:python-dev at python.org>; python-committers<mailto:python-committers at python.org>
Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

On 4 April 2015 at 11:14, Steve Dower <Steve.Dower at microsoft.com> wrote:
> The thing is, that's exactly the same goodness as Authenticode gives, except
> everyone gets that for free and meanwhile you're the only one who has
> admitted to using GPG on Windows :)
>
> Basically, what I want to hear is that GPG sigs provide significantly better
> protection than hashes (and I can provide better than MD5 for all files if
> it's useful), taking into consideration that (I assume) I'd have to obtain a
> signing key for GPG and unless there's a CA involved like there is for
> Authenticode, there's no existing trust in that key.

GPG sigs will provide protection against replay attacks [unless we're
proposing to revoke signatures on old point releases with known
security vulnerabilities - something that Window software vendors tend
not to do because of the dramatic and immediate effect on the deployed
base...]

This is not relevant for things we're hosting on SSL, but is if anyone
is mirroring our installers around. They dont' seem to be so perhaps
its a bit 'meh'.

OTOH I also think there is value in consistency: signing all our
artifacts makes checking back on them later easier, should we need to.

One question, if you will - I don't think this was asked so far - is
authenticode verifiable from Linux, without Windows? And does it work
for users of WINE ?

-Rob


--
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20150405/943b2b01/attachment.html>

More information about the Python-Dev mailing list