[python-committers] New Authenticode certificate

[Steve Dower]

On 09Feb2016 1030, M.-A. Lemburg wrote:
> On 09.02.2016 18:41, Jeff Hardy wrote:
>> On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>>
>>> To everyone: We now have a PSF code signing certificate.
>>>
>>> I have sent the certificate to Steve for use in the Windows
>>> installers. If other developers need to create signed
>>> installers/code for Python, please let me know.
>>>
>>
>> Hi Marc-Andre,
>> Would it be possible to use it for IronPython as well?
>
> I don't know. Steve is using it as Authenticode certificate,
>
> [SNIP]
>
> It will certainly work for signing executables and msi
> installers.
>
> Perhaps Steve can help with this.
>

There are three aspects to this: technical, political and security.

Technically, yes IronPython could absolutely be signed with the same 
certificate.

Politically, it requires the PSF to be willing to put their name to the 
safety of the signed binaries and installers. Essentially, if/when 
something bad is done with or via something signed by the PSF, there is 
an implied responsibility (no idea how legally enforceable it is). I am 
not in a position to say whether or not this is okay for IronPython.

Security-wise, it is very important to minimize the number of people who 
have access to the certificate. Code signed with this certificate is 
basically given a free pass by most virus scanners and security software.

If we decide to start signing IronPython with the PSF certificate, I'd 
be most comfortable if I were doing the builds to avoid sharing the 
certificate any further than needed. But that isn't going to scale when 
all the other interpreters want equal treatment.

I'm not sure exactly what the cost of the certificate is to the PSF, but 
it may be an expense they're willing to take to get separate certs?

Cheers,
Steve