https://bz.apache.org/ooo/show_bug.cgi?id=127418
--- Comment #4 from Kyle H <[email protected]> --- Realistically, there's a few issues here. (I understand that this is probably not the best place to describe it, but I'm bringing a couple of threads together here for this analysis.) Signing the MSI and installer EXE is the simplest part of this. They would need to be submitted to Symantec's signing infrastructure, and utilize credits to do so. (You can test it by using signtool.exe, from the Windows SDK, with a self-signed certificate generated by certtool.exe. But the signature verifiable with the self-signed certificate won't mean anything, other than "these things can be signed".) But ideally, the issue doesn't end there. The freeware source code/text editor Notepad++ had to push a release fairly recently because one of the CIA tool disclosures referred to a persistent implant enabled not because of unsigned DLLs, but because the signatures on the DLLs weren't checked. See https://notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hacking-issue.html for details. Note: I'm not saying that OpenOffice has been hacked. I'm saying that it would be incredibly easy to hack in the same manner, and if it's used for general-purpose office tasks it eventually will be targeted. (And even if you trust US CIA, there's all sorts of other actors -- not limited to state-level adversaries, but also to any criminal who has or can hire the expertise -- who can do so.) So, again ideally, it would be good if on Windows all of the DLLs and everything that could be digitally signed (which you can determine by using signtool.exe on every artifact that OpenOffice includes in its installer) had its signature checked before it were loaded. This would take a LOT more credits in Symantec's infrastructure, and I don't know if Apache would consider it to be worth it. It would also be awesome if it could be done on MacOSX, but I do understand that there may be other (legal department) reasons why it can't necessarily be done as easily there. And I don't know of any digital signature standard for binaries or dynamic shared objects on Linux. -- You are receiving this mail because: You are the assignee for the issue.
