[Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Wes Turner wes.turner at gmail.com
Sat Apr 4 15:42:55 CEST 2015 

So, AFAIU from this discussion:

* Authenticode does not have a PKI
* GPG does have PKI
* ASC signatures are signed checksums

As far as downstream packaging on Windows (people who should/could be
subscribed to release ANNs):

For Choclatey NuGet:

* https://chocolatey.org/packages/python
* https://chocolatey.org/packages/python.x86
* https://chocolatey.org/packages/python2
* https://chocolatey.org/packages/python-x86_32
* https://chocolatey.org/packages/python3

Python(x,y):

* https://code.google.com/p/pythonxy/

For Anaconda (the MS Azure chosen python distribution):

* http://docs.continuum.io/anaconda/install.html#windows-install

...

These should/could/are checking GPG signatures for Windows packages
downstream.

http://www.scipy.org/install.html
On Apr 3, 2015 5:38 PM, "M.-A. Lemburg" <mal at egenix.com> wrote:

> On 04.04.2015 00:14, Steve Dower wrote:
> > The thing is, that's exactly the same goodness as Authenticode gives,
> except everyone gets that for free and meanwhile you're the only one who
> has admitted to using GPG on Windows :)
> >
> > Basically, what I want to hear is that GPG sigs provide significantly
> better protection than hashes (and I can provide better than MD5 for all
> files if it's useful), taking into consideration that (I assume) I'd have
> to obtain a signing key for GPG and unless there's a CA involved like there
> is for Authenticode, there's no existing trust in that key.
>
> Hashes only provide checks against file corruption (and then
> only if you can trust the hash values). GPG provides all the
> benefits of public key encryption on arbitrary files (not just
> code).
>
> The main benefit in case of downloadable installers is to
> be able to make sure that the files are authentic, meaning that
> they were created and signed by the people listed as packagers.
>
> There is no CA infrastructure involved as for SSL certificates
> or Authenticode, but it's easy to get the keys from key servers
> given the key signatures available from python.org's download
> pages.
>
> If you want to sign a package file using GPG, you will need
> to create your own key, upload it to the key servers and then
> place the signature up on the download page.
>
> Relying only on Authenticode for Windows installers would
> result in a break in technology w/r to the downloads we
> make available for Python, since all other files are (usually)
> GPG signed:
>
> https://www.python.org/ftp/python/3.4.3/
>
> Cheers,
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source
> >>> Python/Zope Consulting and Support ...        http://www.egenix.com/
> >>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
> >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> ________________________________________________________________________
>
> ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
>
>
>    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>            Registered at Amtsgericht Duesseldorf: HRB 46611
>                http://www.egenix.com/company/contact/
>
>
> > Cheers,
> > Steve
> >
> > Top-posted from my Windows Phone
> > ________________________________
> > From: M.-A. Lemburg<mailto:mal at egenix.com>
> > Sent: ‎4/‎3/‎2015 10:55
> > To: Steve Dower<mailto:Steve.Dower at microsoft.com>; Larry
> Hastings<mailto:larry at hastings.org>; Python Dev<mailto:
> python-dev at python.org>; python-committers<mailto:
> python-committers at python.org>
> > Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows
> files with GnuPG?
> >
> > On 03.04.2015 19:35, Steve Dower wrote:
> >>> My Windows development days are firmly behind me. So I don't really
> have an
> >>> opinion here. So I put it to you, Windows Python developers: do you
> care about
> >>> GnuPG signatures on Windows-specific files? Or do you not care?
> >>
> >> The later replies seem to suggest that they are general goodness that
> nobody on Windows will use. If someone convinces me (or steamrolls me,
> that's fine too) that the goodness of GPG is better than a hash then I'll
> look into adding it into the process. Otherwise I'll happily add hash
> generation into the upload process (which I'm going to do anyway for the
> ones displayed on the download page).
> >
> > FWIW: I regularly check the GPG sigs on all important downloaded
> > files, regardless of which platform they target, including the
> > Windows installers for Python or any other Windows installers
> > I use which provide such sigs.
> >
> > The reason is simple:
> > The signature is a proof of authenticity which is not bound to
> > a particular file format or platform and before running .exes
> > it's good to know that they were built by the right people and
> > not manipulated by trojans, viruses or malicious proxies.
> >
> > Is that a good enough reason to continue providing the GPG
> > sigs or do you need more proof of goodness ? ;-)
> >
> > --
> > Marc-Andre Lemburg
> > eGenix.com
> >
> > Professional Python Services directly from the Source
> >>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
> >>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
> >>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
> > ________________________________________________________________________
> >
> > ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
> >
> >
> >    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
> >     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> >            Registered at Amtsgericht Duesseldorf: HRB 46611
> >                http://www.egenix.com/company/contact/
> >
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20150404/b3dd43e4/attachment.html>

More information about the Python-Dev mailing list