[Python-Dev] Do we need to sign Windows files with GnuPG?

[Steve Dower]

Larry Hastings wrote:
> Steve's also changed the authentication process. His new installers rely on a
> Windows digital signature technology called Authenticode where the signature is
> built right into the .exe file. Windows platforms will automatically
> authenticate executables signed with Authenticode, so this is both secure and
> convenient.
> 
> Martin's build process also digitally signed the files he built, but not using
> Authenticode (or at least I don't think so). Like the Mac and source code
> releases, his automation used GnuPG to produce separate ".asc" files containing
> digital signatures. This meant authentication was a manual process.

Martin previously only signed the installer with Authenticode, and generated a signature with GnuPG for the installer. My change now signs every binary and MSI in the entire installation with Authenticode, and for now I've stopped creating a GPG signature for the installers. I'm still providing sizes and MD5 hashes for the user-visible downloads (except for the last alpha release, thanks Larry for covering for me).

With the installer also being a downloader, there are now actually 30+ files uploaded for each Windows release. Most of these are never seen by users unless they run the installer with /layout (sorry for not having changed this to /download yet... it's not as easily customizable as I'd hoped, but /layout is the standard name for this command), and if they're being downloaded by the installer then both hashes (embedded in the installer) and Authenticode signatures (embedded in each file) are being checked and will be blocked if they don't match. So verifying the EXE installer should always be sufficient to trust the rest of the installable files.

> The Authenticode approach sounds great. But there are advantages to the GnuPG
> approach too:

For reference, the main advantage of Authenticode signing is shown at https://technet.microsoft.com/en-us/library/dd835561(v=ws.10).aspx - about halfway down there are screenshots of the various dialogs that are displayed when you run signed vs. unsigned vs. blocked applications.

It also helps bypass SmartScreen, which will block downloaded files until they've developed a minimum level of trust. Simply having an Authenticode signature on the initial download meets this level.

(The summary of my opinion is that these two checks are sufficient for the initial EXE download, and the embedded hashes and signatures are sufficient for the rest. Having python.exe et al signed is a bonus that we've never done in the past.)

> * Using GnuPG means we can authenticate the files from any platform, not just
> Windows. If there were a security breach on the Python content delivery network,
> any developer could get GnuPG for their platform and authenticate that the
> installers are unmodified. If we use Authenitcode,

There are tools out there for validating Authenticode on Linux, though none of them seem to be as complete as on Windows (it really needs the OS certificate store to be completely reliable), so I can certainly see the value in being able to verify these against a signature. My only question is whether/how this is better with GPG compared to say a SHA hash? I don't currently have a GPG key (to my knowledge), so it's not like there's any preexisting trust to build from - or am I misunderstanding how GPG works here?

> * GnuPG is agnostic about the data it digitally signs. So, for example, Martin's
> build process digitally signs the Windows help file--the ".chm" file--produced
> by his build process. The help file Steve builds is currently completely
> unsigned; Steve says he can try signing it but he's not sure it'll work. Note
> that .chm files actually can contain live code, so this is at least a plausible
> vector for attack.

Authenticode is not supported for CHM files, unfortunately. If this is the only file that we decide needs GPG, I'd vote to stop offering the download apart from the interpreter :) (Among other things, I'm not supposed to use GPG without specific permission from the lawyers at work because of the license...)

> My Windows development days are firmly behind me. So I don't really have an
> opinion here. So I put it to you, Windows Python developers: do you care about
> GnuPG signatures on Windows-specific files? Or do you not care?

The later replies seem to suggest that they are general goodness that nobody on Windows will use. If someone convinces me (or steamrolls me, that's fine too) that the goodness of GPG is better than a hash then I'll look into adding it into the process. Otherwise I'll happily add hash generation into the upload process (which I'm going to do anyway for the ones displayed on the download page).

Cheers,
Steve