On 4 April 2015 at 11:14, Steve Dower <steve.do...@microsoft.com> wrote: > The thing is, that's exactly the same goodness as Authenticode gives, except > everyone gets that for free and meanwhile you're the only one who has > admitted to using GPG on Windows :) > > Basically, what I want to hear is that GPG sigs provide significantly better > protection than hashes (and I can provide better than MD5 for all files if > it's useful), taking into consideration that (I assume) I'd have to obtain a > signing key for GPG and unless there's a CA involved like there is for > Authenticode, there's no existing trust in that key.
GPG sigs will provide protection against replay attacks [unless we're proposing to revoke signatures on old point releases with known security vulnerabilities - something that Window software vendors tend not to do because of the dramatic and immediate effect on the deployed base...] This is not relevant for things we're hosting on SSL, but is if anyone is mirroring our installers around. They dont' seem to be so perhaps its a bit 'meh'. OTOH I also think there is value in consistency: signing all our artifacts makes checking back on them later easier, should we need to. One question, if you will - I don't think this was asked so far - is authenticode verifiable from Linux, without Windows? And does it work for users of WINE ? -Rob -- Robert Collins <rbtcoll...@hp.com> Distinguished Technologist HP Converged Cloud _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com