Signing extensions

Neil Hodgson nyamatongwe+thunder at
Sat Sep 26 08:01:34 CEST 2009

Roger Binns:

> The Windows Python distribution is signed by PGP and the normal Microsoft
> way using a Verisign class 3 cert.  (If you read their issuer statement it
> ultimately says the cert isn't worth the bits it is printed on :-)  One of
> those certs is $500 per year which is out of the question for me.

   Code signing certificates that will be be valid for Windows
Authenticode cost $129 per year through CodeProject

> Does anyone have any other suggestions?  Has the PSF considered running a
> certificate authority for extension developers, and other Python developers
> for that matter?

   I'd like to see a certificate authority for open source projects
based mainly on project reputation and longevity. There may need to be
some payment to avoid flooding the CA with invalid requests - say $30
per year. It would be great if this CA was recognised by Microsoft and
Apple as well as Linux and BSD distributions.

   There are some issues about identity here. Should the certificate be
 for the project, an individual, or an individual within a project? You
want to know that PyExt1 comes from the genuine Ext1 project but the
build will commonly be initiated by an individual who may later be found
to be malicious. The Ext1 project should be able to revoke "Mal Icious
of Ext1" and have future releases signed by "Trust Worthy of Ext1".


More information about the Python-list mailing list