Signing extensions

Roger Binns rogerb at rogerbinns.com
Sat Sep 26 09:36:23 CEST 2009


Neil Hodgson wrote:
>    Code signing certificates that will be be valid for Windows
> Authenticode cost $129 per year through CodeProject

That isn't an amount I am prepared to pay either :-)  (I don't even use
Windows except as a glorified boot loader for Rise of Nations and to build
Python extensions.)  With the amount of hassle it causes me, I should be
paid for the development time spent on Windows issues!

>    I'd like to see a certificate authority for open source projects
> based mainly on project reputation and longevity. There may need to be
> some payment to avoid flooding the CA with invalid requests - say $30
> per year. It would be great if this CA was recognised by Microsoft and
> Apple as well as Linux and BSD distributions.

It can also be solved as low down as Python itself, as opposed to open
source in general.  The Python installation could install a root CA for the
PSF certifying authority although I suspect you can't then limit its use to
only Python extensions.  (I still find it amusing that the browser will
silently accept certificates from any of the ~100 CAs that come with it.
Your identity proof is only as strong as the weakest CA in the list, not the
strongest.)

It could also be solved by the download sites. For example Google Code does
allow you to visit it via https and even displays the download page over
https, but the downloads are over http.  If it occurred to you then you can
click on the "Summary+Labels" for an item where they show the SHA1 of the
file, but that is even more hassle for most users.

>    There are some issues about identity here.

You don't really need to worry about maliciousness.  Ultimately that will
come down to reputation.  I am more concerned about download sites being
hacked or malicious proxies being inserted into the network somewhere.  It
is good enough to be able to establish if this new version of the extension
was produced by the same person as the previous version I have installed.
PGP works wonderfully for that, except for Windows where no one has it.

> The Ext1 project should be able to revoke ...

That is pretty trivial to do if using regular CAs and OCSP.  Of course
someone still has to decide if the claim of maliciousness is correct or a
joe job.

Roger




More information about the Python-list mailing list