Re: [python-committers] New Authenticode certificate
On Wed, Feb 17, 2016 at 12:05 PM, Steve Dower wrote: > On 17Feb2016 0903, M.-A. Lemburg wrote: > >> On 16.02.2016 23:45, Jeff Hardy wrote: >> >>> I don't have an issue with Steve building them; the release process is >>> pretty much a single make step. It's a mild annoyance for each of us, but >>> it would only be for final releases, so only 2-3 times a year at most. >>> >> >> If Steve is fine with this approach, it sounds like a good option. >> >> > I'm fine with this, though I'll probably contribute some extra automation. > One-click build/sign/upload (or send-to-Jeff) are a few of my favourite > things. > > I also agree that the certificate only indicates that "we the PSF" built > the code, believe it to be unchanged from the sources, and believe the > origin of the sources is safe. If anyone has concerns about mine or Jeff's > role in this, looks like now is the time to speak up. > I'm rather busy right now with moving but once it's time to do another release I'll get in touch again and we can hash out a process for signing artifacts. - Jeff ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] New Authenticode certificate
On 17Feb2016 0903, M.-A. Lemburg wrote: On 16.02.2016 23:45, Jeff Hardy wrote: I don't have an issue with Steve building them; the release process is pretty much a single make step. It's a mild annoyance for each of us, but it would only be for final releases, so only 2-3 times a year at most. If Steve is fine with this approach, it sounds like a good option. I'm fine with this, though I'll probably contribute some extra automation. One-click build/sign/upload (or send-to-Jeff) are a few of my favourite things. I also agree that the certificate only indicates that "we the PSF" built the code, believe it to be unchanged from the sources, and believe the origin of the sources is safe. If anyone has concerns about mine or Jeff's role in this, looks like now is the time to speak up. Cheers, Steve ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] New Authenticode certificate
On 16.02.2016 23:45, Jeff Hardy wrote: > On Wed, Feb 10, 2016 at 12:40 AM, M.-A. Lemburg wrote: > >> On 09.02.2016 22:40, Steve Dower wrote: >>> On 09Feb2016 1030, M.-A. Lemburg wrote: On 09.02.2016 18:41, Jeff Hardy wrote: > On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg wrote: > >> To everyone: We now have a PSF code signing certificate. >> >> I have sent the certificate to Steve for use in the Windows >> installers. If other developers need to create signed >> installers/code for Python, please let me know. >> > > Hi Marc-Andre, > Would it be possible to use it for IronPython as well? I don't know. Steve is using it as Authenticode certificate, [SNIP] It will certainly work for signing executables and msi installers. Perhaps Steve can help with this. >> > > Yes, it would be signing the IronPython .exe's, MSI, and possibly NuGet > packages (although that part of the ecosystem is in flux and I have no idea > what's going on right now). > > >>> >>> There are three aspects to this: technical, political and security. >>> >>> Technically, yes IronPython could absolutely be signed with the same >> certificate. >>> >>> Politically, it requires the PSF to be willing to put their name to the >> safety of the signed >>> binaries and installers. Essentially, if/when something bad is done with >> or via something signed by >>> the PSF, there is an implied responsibility (no idea how legally >> enforceable it is). I am not in a >>> position to say whether or not this is okay for IronPython. >> >> Regardless of politics (the PSF wants to help where ever we can), >> we may only sign code with the PSF code signing certificate which >> the PSF has a right to distribute. >> >> I originally was under the impression that we do, but now that I >> wanted to check, I'm having trouble finding the copyright owners >> of the code. >> >> The license is the Apache license (but without copyright holder >> information), and the stdlib is part of the installers (which the >> PSF has distribution rights to), but the IronPython runtime itself >> only says: "Copyright (c) IronPython Team", so it's not clear what >> distribution rights the PSF would have. >> > > We deliberately didn't so copyright assignment at the start to avoid > dealing with the MS lawyers too much, so the bulk of the code is (c) > Microsoft, the rest would be whoever wrote it. It's a nice, low-friction > system, as long as we don't change it. :) > > If we had to move to PSF copyright assignment I'd be OK with it (and I > doubt other main contributors would have an issue) but the trick would be > tracking down all other contributors and getting their sign off, and also > getting MS to sign off on it (although the MS of today would probably be > more amenable than the MS of 5 years ago). I can take this up to the PSF board to see whether we'd want to go through that trouble :-) One of the reasons Python has the long license stack is that we've so far avoided trying to cut it down one by one, since it involves lots of talk not many people really want to go through or invest time into. > Alternatively, maybe the *binaries* can be (c) PSF, but the code copyrights > remain the same as they are. Not sure if that's a thing. Then the PSF would > have no issues distributing the binaries. I'm pretty sure the Apache > license is enough to give the PSF (though their representative) permission > to build binaries from the source and distribute them, but IANAL, etc. Hmm, you're raising a good point. The Python contrib forms also license the code using the Apache license (as one of two possible licenses) to the PSF, without assigning copyright. The contrib forms give the PSF a permission to relicense the code, but this wouldn't be necessary here, since we'd just be distributing the binaries under the same license. And in the end, object signing just means that *we* used the code to build the executables, nothing more, so not even the "(c) PSF" should be necessary. >>> Security-wise, it is very important to minimize the number of people who >> have access to the >>> certificate. Code signed with this certificate is basically given a free >> pass by most virus scanners >>> and security software. >> >> I don't think that's a true statement. Decent virus scanners >> will still scan the files for malicious content, even if signed. >> >> It's true that minimizing the possible attack surface is always >> preferred, though. >> >>> If we decide to start signing IronPython with the PSF certificate, I'd >> be most comfortable if I were >>> doing the builds to avoid sharing the certificate any further than >> needed. But that isn't going to >>> scale when all the other interpreters want equal treatment. >>> >>> I'm not sure exactly what the cost of the certificate is to the PSF, but >> it may be an expense >>> they're willing to take to get separate certs? >> >> We can only get one c
Re: [python-committers] New Authenticode certificate
On Wed, Feb 10, 2016 at 12:40 AM, M.-A. Lemburg wrote: > On 09.02.2016 22:40, Steve Dower wrote: > > On 09Feb2016 1030, M.-A. Lemburg wrote: > >> On 09.02.2016 18:41, Jeff Hardy wrote: > >>> On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg wrote: > >>> > To everyone: We now have a PSF code signing certificate. > > I have sent the certificate to Steve for use in the Windows > installers. If other developers need to create signed > installers/code for Python, please let me know. > > >>> > >>> Hi Marc-Andre, > >>> Would it be possible to use it for IronPython as well? > >> > >> I don't know. Steve is using it as Authenticode certificate, > >> > >> [SNIP] > >> > >> It will certainly work for signing executables and msi > >> installers. > >> > >> Perhaps Steve can help with this. > Yes, it would be signing the IronPython .exe's, MSI, and possibly NuGet packages (although that part of the ecosystem is in flux and I have no idea what's going on right now). > >> > > > > There are three aspects to this: technical, political and security. > > > > Technically, yes IronPython could absolutely be signed with the same > certificate. > > > > Politically, it requires the PSF to be willing to put their name to the > safety of the signed > > binaries and installers. Essentially, if/when something bad is done with > or via something signed by > > the PSF, there is an implied responsibility (no idea how legally > enforceable it is). I am not in a > > position to say whether or not this is okay for IronPython. > > Regardless of politics (the PSF wants to help where ever we can), > we may only sign code with the PSF code signing certificate which > the PSF has a right to distribute. > > I originally was under the impression that we do, but now that I > wanted to check, I'm having trouble finding the copyright owners > of the code. > > The license is the Apache license (but without copyright holder > information), and the stdlib is part of the installers (which the > PSF has distribution rights to), but the IronPython runtime itself > only says: "Copyright (c) IronPython Team", so it's not clear what > distribution rights the PSF would have. > We deliberately didn't so copyright assignment at the start to avoid dealing with the MS lawyers too much, so the bulk of the code is (c) Microsoft, the rest would be whoever wrote it. It's a nice, low-friction system, as long as we don't change it. :) If we had to move to PSF copyright assignment I'd be OK with it (and I doubt other main contributors would have an issue) but the trick would be tracking down all other contributors and getting their sign off, and also getting MS to sign off on it (although the MS of today would probably be more amenable than the MS of 5 years ago). Alternatively, maybe the *binaries* can be (c) PSF, but the code copyrights remain the same as they are. Not sure if that's a thing. Then the PSF would have no issues distributing the binaries. I'm pretty sure the Apache license is enough to give the PSF (though their representative) permission to build binaries from the source and distribute them, but IANAL, etc. > > > Security-wise, it is very important to minimize the number of people who > have access to the > > certificate. Code signed with this certificate is basically given a free > pass by most virus scanners > > and security software. > > I don't think that's a true statement. Decent virus scanners > will still scan the files for malicious content, even if signed. > > It's true that minimizing the possible attack surface is always > preferred, though. > > > If we decide to start signing IronPython with the PSF certificate, I'd > be most comfortable if I were > > doing the builds to avoid sharing the certificate any further than > needed. But that isn't going to > > scale when all the other interpreters want equal treatment. > > > > I'm not sure exactly what the cost of the certificate is to the PSF, but > it may be an expense > > they're willing to take to get separate certs? > > We can only get one code signing certificate per organization from > our certificate provider StartSSL. > I don't have an issue with Steve building them; the release process is pretty much a single make step. It's a mild annoyance for each of us, but it would only be for final releases, so only 2-3 times a year at most. - Jeff ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] New Authenticode certificate
On 09.02.2016 22:40, Steve Dower wrote: > On 09Feb2016 1030, M.-A. Lemburg wrote: >> On 09.02.2016 18:41, Jeff Hardy wrote: >>> On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg wrote: >>> To everyone: We now have a PSF code signing certificate. I have sent the certificate to Steve for use in the Windows installers. If other developers need to create signed installers/code for Python, please let me know. >>> >>> Hi Marc-Andre, >>> Would it be possible to use it for IronPython as well? >> >> I don't know. Steve is using it as Authenticode certificate, >> >> [SNIP] >> >> It will certainly work for signing executables and msi >> installers. >> >> Perhaps Steve can help with this. >> > > There are three aspects to this: technical, political and security. > > Technically, yes IronPython could absolutely be signed with the same > certificate. > > Politically, it requires the PSF to be willing to put their name to the > safety of the signed > binaries and installers. Essentially, if/when something bad is done with or > via something signed by > the PSF, there is an implied responsibility (no idea how legally enforceable > it is). I am not in a > position to say whether or not this is okay for IronPython. Regardless of politics (the PSF wants to help where ever we can), we may only sign code with the PSF code signing certificate which the PSF has a right to distribute. I originally was under the impression that we do, but now that I wanted to check, I'm having trouble finding the copyright owners of the code. The license is the Apache license (but without copyright holder information), and the stdlib is part of the installers (which the PSF has distribution rights to), but the IronPython runtime itself only says: "Copyright (c) IronPython Team", so it's not clear what distribution rights the PSF would have. > Security-wise, it is very important to minimize the number of people who have > access to the > certificate. Code signed with this certificate is basically given a free pass > by most virus scanners > and security software. I don't think that's a true statement. Decent virus scanners will still scan the files for malicious content, even if signed. It's true that minimizing the possible attack surface is always preferred, though. > If we decide to start signing IronPython with the PSF certificate, I'd be > most comfortable if I were > doing the builds to avoid sharing the certificate any further than needed. > But that isn't going to > scale when all the other interpreters want equal treatment. > > I'm not sure exactly what the cost of the certificate is to the PSF, but it > may be an expense > they're willing to take to get separate certs? We can only get one code signing certificate per organization from our certificate provider StartSSL. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Feb 10 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ 2016-01-19: Released eGenix pyOpenSSL 0.13.13 ... http://egenix.com/go86 ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] New Authenticode certificate
On 09Feb2016 1030, M.-A. Lemburg wrote: On 09.02.2016 18:41, Jeff Hardy wrote: On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg wrote: To everyone: We now have a PSF code signing certificate. I have sent the certificate to Steve for use in the Windows installers. If other developers need to create signed installers/code for Python, please let me know. Hi Marc-Andre, Would it be possible to use it for IronPython as well? I don't know. Steve is using it as Authenticode certificate, [SNIP] It will certainly work for signing executables and msi installers. Perhaps Steve can help with this. There are three aspects to this: technical, political and security. Technically, yes IronPython could absolutely be signed with the same certificate. Politically, it requires the PSF to be willing to put their name to the safety of the signed binaries and installers. Essentially, if/when something bad is done with or via something signed by the PSF, there is an implied responsibility (no idea how legally enforceable it is). I am not in a position to say whether or not this is okay for IronPython. Security-wise, it is very important to minimize the number of people who have access to the certificate. Code signed with this certificate is basically given a free pass by most virus scanners and security software. If we decide to start signing IronPython with the PSF certificate, I'd be most comfortable if I were doing the builds to avoid sharing the certificate any further than needed. But that isn't going to scale when all the other interpreters want equal treatment. I'm not sure exactly what the cost of the certificate is to the PSF, but it may be an expense they're willing to take to get separate certs? Cheers, Steve ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] New Authenticode certificate
On 09.02.2016 18:41, Jeff Hardy wrote: > On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg wrote: > >> To everyone: We now have a PSF code signing certificate. >> >> I have sent the certificate to Steve for use in the Windows >> installers. If other developers need to create signed >> installers/code for Python, please let me know. >> > > Hi Marc-Andre, > Would it be possible to use it for IronPython as well? I don't know. Steve is using it as Authenticode certificate, which NuGet also seems to be planing to use: http://blog.nuget.org/20150203/package-signing.html but I have no experience with .NET code signing. They also seem to have settled for a slightly different approach since writing the above blog post: https://github.com/aspnet/Signing/blob/dev/Spec.md which doesn't look compatible with Authenticode. It will certainly work for signing executables and msi installers. Perhaps Steve can help with this. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Feb 09 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ 2016-01-19: Released eGenix pyOpenSSL 0.13.13 ... http://egenix.com/go86 ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] New Authenticode certificate
On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg wrote: > To everyone: We now have a PSF code signing certificate. > > I have sent the certificate to Steve for use in the Windows > installers. If other developers need to create signed > installers/code for Python, please let me know. > Hi Marc-Andre, Would it be possible to use it for IronPython as well? - Jeff ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] New Authenticode certificate
To everyone: We now have a PSF code signing certificate. I have sent the certificate to Steve for use in the Windows installers. If other developers need to create signed installers/code for Python, please let me know. Thanks. On 22.01.2016 10:44, M.-A. Lemburg wrote: > On 21.01.2016 20:42, Steve Dower wrote: >> On 21Jan2016 1031, M.-A. Lemburg wrote: >>> I'm the one who handles the PSF StartSSL account and yes, >>> they also do code signing certificates. >> >> Did they provide our current certificate? The root CA is VeriSign, not >> StartCom. >> >> I have no particular issue with changing CA, but I really don't want >> multiple PSF-labelled code >> signing certificates floating around out there. > > We have switched to StartSSL for most of our certificate needs. > Some certs are also created using Gandi (for a few > externally hosted python.org subdomains) or Digicert (for > fastly cached domains): > > https://wiki.python.org/psf/PSF%20SSL%20Certificates > (you need a PSF wiki login to view the page) > > The older Verisign ones were from before the PSF attempted to > centralize the certificate management. > > I'll send you the instructions on how to create a CSR for the > cert offlist. > -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Feb 08 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] New Authenticode certificate
On 21.01.2016 20:42, Steve Dower wrote: > On 21Jan2016 1031, M.-A. Lemburg wrote: >> I'm the one who handles the PSF StartSSL account and yes, >> they also do code signing certificates. > > Did they provide our current certificate? The root CA is VeriSign, not > StartCom. > > I have no particular issue with changing CA, but I really don't want multiple > PSF-labelled code > signing certificates floating around out there. We have switched to StartSSL for most of our certificate needs. Some certs are also created using Gandi (for a few externally hosted python.org subdomains) or Digicert (for fastly cached domains): https://wiki.python.org/psf/PSF%20SSL%20Certificates (you need a PSF wiki login to view the page) The older Verisign ones were from before the PSF attempted to centralize the certificate management. I'll send you the instructions on how to create a CSR for the cert offlist. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Jan 22 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] New Authenticode certificate
On 21Jan2016 1031, M.-A. Lemburg wrote: I'm the one who handles the PSF StartSSL account and yes, they also do code signing certificates. Did they provide our current certificate? The root CA is VeriSign, not StartCom. I have no particular issue with changing CA, but I really don't want multiple PSF-labelled code signing certificates floating around out there. ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
Re: [python-committers] New Authenticode certificate
On 21.01.2016 17:40, Steve Dower wrote: > (I forget exactly who to contact about the certificate, so I'm going slightly > more broad.) > > The PSF's certificate we use to sign binaries and the installer for Windows > is a SHA-1 certificate, > which has been deprecated as of the start of the year: http://aka.ms/sha1 > > Already Windows may warn about the certificate on our current and past > releases, but because the > signature is timestamped prior to 01Jan2016 it will not be blocked. However, > our next releases will > be blocked (with a bypass available) unless we update the certificate to > SHA-2. > > Some sources have suggested that CAs will provide a SHA-2 certificate for > free on request. > > Supporting Windows Vista and Windows Server 2008 appears to be complicated, > according to the link I > gave above. I want to test the effect of only signing with SHA-2 on those > platforms and make a > recommendation based on that, rather than trying to guess what will happen > (those OSs did not block > downloaded files as aggressively as Windows 7+). > > Happy to take this off list once I know who handles this certificate. I'm the one who handles the PSF StartSSL account and yes, they also do code signing certificates. I'd suggest to take this offlist. Thanks, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Experts (#1, Jan 21 2016) >>> Python Projects, Coaching and Consulting ... http://www.egenix.com/ >>> Python Database Interfaces ... http://products.egenix.com/ >>> Plone/Zope Database Interfaces ... http://zope.egenix.com/ ::: We implement business ideas - efficiently in both time and costs ::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ http://www.malemburg.com/ ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
[python-committers] New Authenticode certificate
(I forget exactly who to contact about the certificate, so I'm going slightly more broad.) The PSF's certificate we use to sign binaries and the installer for Windows is a SHA-1 certificate, which has been deprecated as of the start of the year: http://aka.ms/sha1 Already Windows may warn about the certificate on our current and past releases, but because the signature is timestamped prior to 01Jan2016 it will not be blocked. However, our next releases will be blocked (with a bypass available) unless we update the certificate to SHA-2. Some sources have suggested that CAs will provide a SHA-2 certificate for free on request. Supporting Windows Vista and Windows Server 2008 appears to be complicated, according to the link I gave above. I want to test the effect of only signing with SHA-2 on those platforms and make a recommendation based on that, rather than trying to guess what will happen (those OSs did not block downloaded files as aggressively as Windows 7+). Happy to take this off list once I know who handles this certificate. Cheers, Steve ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers