> On Apr 3, 2015, at 6:38 PM, M.-A. Lemburg <m...@egenix.com> wrote: > > On 04.04.2015 00:14, Steve Dower wrote: >> The thing is, that's exactly the same goodness as Authenticode gives, except >> everyone gets that for free and meanwhile you're the only one who has >> admitted to using GPG on Windows :) >> >> Basically, what I want to hear is that GPG sigs provide significantly better >> protection than hashes (and I can provide better than MD5 for all files if >> it's useful), taking into consideration that (I assume) I'd have to obtain a >> signing key for GPG and unless there's a CA involved like there is for >> Authenticode, there's no existing trust in that key. > > Hashes only provide checks against file corruption (and then > only if you can trust the hash values). GPG provides all the > benefits of public key encryption on arbitrary files (not just > code). > > The main benefit in case of downloadable installers is to > be able to make sure that the files are authentic, meaning that > they were created and signed by the people listed as packagers. > > There is no CA infrastructure involved as for SSL certificates > or Authenticode, but it's easy to get the keys from key servers > given the key signatures available from python.org's download > pages.
FTR if we’re relying on people to get the GPG keys from the download pages then there’s no additional benefit over just using a hash published on the same page. In order to get additional benefit we’d need to get Steve’s key signed by enough people to get him into the strong set. > > If you want to sign a package file using GPG, you will need > to create your own key, upload it to the key servers and then > place the signature up on the download page. > > Relying only on Authenticode for Windows installers would > result in a break in technology w/r to the downloads we > make available for Python, since all other files are (usually) > GPG signed: > > https://www.python.org/ftp/python/3.4.3/ > > Cheers, > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source >>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > > ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > > >> Cheers, >> Steve >> >> Top-posted from my Windows Phone >> ________________________________ >> From: M.-A. Lemburg<mailto:m...@egenix.com> >> Sent: 4/3/2015 10:55 >> To: Steve Dower<mailto:steve.do...@microsoft.com>; Larry >> Hastings<mailto:la...@hastings.org>; Python >> Dev<mailto:python-dev@python.org>; >> python-committers<mailto:python-committ...@python.org> >> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows >> files with GnuPG? >> >> On 03.04.2015 19:35, Steve Dower wrote: >>>> My Windows development days are firmly behind me. So I don't really have an >>>> opinion here. So I put it to you, Windows Python developers: do you care >>>> about >>>> GnuPG signatures on Windows-specific files? Or do you not care? >>> >>> The later replies seem to suggest that they are general goodness that >>> nobody on Windows will use. If someone convinces me (or steamrolls me, >>> that's fine too) that the goodness of GPG is better than a hash then I'll >>> look into adding it into the process. Otherwise I'll happily add hash >>> generation into the upload process (which I'm going to do anyway for the >>> ones displayed on the download page). >> >> FWIW: I regularly check the GPG sigs on all important downloaded >> files, regardless of which platform they target, including the >> Windows installers for Python or any other Windows installers >> I use which provide such sigs. >> >> The reason is simple: >> The signature is a proof of authenticity which is not bound to >> a particular file format or platform and before running .exes >> it's good to know that they were built by the right people and >> not manipulated by trojans, viruses or malicious proxies. >> >> Is that a good enough reason to continue providing the GPG >> sigs or do you need more proof of goodness ? ;-) >> >> -- >> Marc-Andre Lemburg >> eGenix.com >> >> Professional Python Services directly from the Source >>>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >> ________________________________________________________________________ >> >> ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: >> >> >> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >> Registered at Amtsgericht Duesseldorf: HRB 46611 >> http://www.egenix.com/company/contact/ >> > > _______________________________________________ > python-committers mailing list > python-committ...@python.org > https://mail.python.org/mailman/listinfo/python-committers --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
