Re: [python-committers] New Authenticode certificate

2016-02-22 Thread Jeff Hardy 
On Wed, Feb 17, 2016 at 12:05 PM, Steve Dower 
wrote:

> On 17Feb2016 0903, M.-A. Lemburg wrote:
>
>> On 16.02.2016 23:45, Jeff Hardy wrote:
>>
>>> I don't have an issue with Steve building them; the release process is
>>> pretty much a single make step. It's a mild annoyance for each of us, but
>>> it would only be for final releases, so only 2-3 times a year at most.
>>>
>>
>> If Steve is fine with this approach, it sounds like a good option.
>>
>>
> I'm fine with this, though I'll probably contribute some extra automation.
> One-click build/sign/upload (or send-to-Jeff) are a few of my favourite
> things.
>
> I also agree that the certificate only indicates that "we the PSF" built
> the code, believe it to be unchanged from the sources, and believe the
> origin of the sources is safe. If anyone has concerns about mine or Jeff's
> role in this, looks like now is the time to speak up.
>

I'm rather busy right now with moving but once it's time to do another
release I'll get in touch again and we can hash out a process for signing
artifacts.

- Jeff
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] New Authenticode certificate

2016-02-16 Thread Jeff Hardy 
On Wed, Feb 10, 2016 at 12:40 AM, M.-A. Lemburg  wrote:

> On 09.02.2016 22:40, Steve Dower wrote:
> > On 09Feb2016 1030, M.-A. Lemburg wrote:
> >> On 09.02.2016 18:41, Jeff Hardy wrote:
> >>> On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg  wrote:
> >>>
>  To everyone: We now have a PSF code signing certificate.
> 
>  I have sent the certificate to Steve for use in the Windows
>  installers. If other developers need to create signed
>  installers/code for Python, please let me know.
> 
> >>>
> >>> Hi Marc-Andre,
> >>> Would it be possible to use it for IronPython as well?
> >>
> >> I don't know. Steve is using it as Authenticode certificate,
> >>
> >> [SNIP]
> >>
> >> It will certainly work for signing executables and msi
> >> installers.
> >>
> >> Perhaps Steve can help with this.
>

Yes, it would be signing the IronPython .exe's, MSI, and possibly NuGet
packages (although that part of the ecosystem is in flux and I have no idea
what's going on right now).


> >>
> >
> > There are three aspects to this: technical, political and security.
> >
> > Technically, yes IronPython could absolutely be signed with the same
> certificate.
> >
> > Politically, it requires the PSF to be willing to put their name to the
> safety of the signed
> > binaries and installers. Essentially, if/when something bad is done with
> or via something signed by
> > the PSF, there is an implied responsibility (no idea how legally
> enforceable it is). I am not in a
> > position to say whether or not this is okay for IronPython.
>
> Regardless of politics (the PSF wants to help where ever we can),
> we may only sign code with the PSF code signing certificate which
> the PSF has a right to distribute.
>
> I originally was under the impression that we do, but now that I
> wanted to check, I'm having trouble finding the copyright owners
> of the code.
>
> The license is the Apache license (but without copyright holder
> information), and the stdlib is part of the installers (which the
> PSF has distribution rights to), but the IronPython runtime itself
> only says: "Copyright (c) IronPython Team", so it's not clear what
> distribution rights the PSF would have.
>

We deliberately didn't so copyright assignment at the start to avoid
dealing with the MS lawyers too much, so the bulk of the code is (c)
Microsoft, the rest would be whoever wrote it. It's a nice, low-friction
system, as long as we don't change it. :)

If we had to move to PSF copyright assignment I'd be OK with it (and I
doubt other main contributors would have an issue) but the trick would be
tracking down all other contributors and getting their sign off, and also
getting MS to sign off on it (although the MS of today would probably be
more amenable than the MS of 5 years ago).

Alternatively, maybe the *binaries* can be (c) PSF, but the code copyrights
remain the same as they are. Not sure if that's a thing. Then the PSF would
have no issues distributing the binaries. I'm pretty sure the Apache
license is enough to give the PSF (though their representative) permission
to build binaries from the source and distribute them, but IANAL, etc.


>
> > Security-wise, it is very important to minimize the number of people who
> have access to the
> > certificate. Code signed with this certificate is basically given a free
> pass by most virus scanners
> > and security software.
>
> I don't think that's a true statement. Decent virus scanners
> will still scan the files for malicious content, even if signed.
>
> It's true that minimizing the possible attack surface is always
> preferred, though.
>
> > If we decide to start signing IronPython with the PSF certificate, I'd
> be most comfortable if I were
> > doing the builds to avoid sharing the certificate any further than
> needed. But that isn't going to
> > scale when all the other interpreters want equal treatment.
> >
> > I'm not sure exactly what the cost of the certificate is to the PSF, but
> it may be an expense
> > they're willing to take to get separate certs?
>
> We can only get one code signing certificate per organization from
> our certificate provider StartSSL.
>

I don't have an issue with Steve building them; the release process is
pretty much a single make step. It's a mild annoyance for each of us, but
it would only be for final releases, so only 2-3 times a year at most.

- Jeff
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] New Authenticode certificate

2016-02-10 Thread M.-A. Lemburg 
On 09.02.2016 22:40, Steve Dower wrote:
> On 09Feb2016 1030, M.-A. Lemburg wrote:
>> On 09.02.2016 18:41, Jeff Hardy wrote:
>>> On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg  wrote:
>>>
 To everyone: We now have a PSF code signing certificate.

 I have sent the certificate to Steve for use in the Windows
 installers. If other developers need to create signed
 installers/code for Python, please let me know.

>>>
>>> Hi Marc-Andre,
>>> Would it be possible to use it for IronPython as well?
>>
>> I don't know. Steve is using it as Authenticode certificate,
>>
>> [SNIP]
>>
>> It will certainly work for signing executables and msi
>> installers.
>>
>> Perhaps Steve can help with this.
>>
> 
> There are three aspects to this: technical, political and security.
> 
> Technically, yes IronPython could absolutely be signed with the same 
> certificate.
> 
> Politically, it requires the PSF to be willing to put their name to the 
> safety of the signed
> binaries and installers. Essentially, if/when something bad is done with or 
> via something signed by
> the PSF, there is an implied responsibility (no idea how legally enforceable 
> it is). I am not in a
> position to say whether or not this is okay for IronPython.

Regardless of politics (the PSF wants to help where ever we can),
we may only sign code with the PSF code signing certificate which
the PSF has a right to distribute.

I originally was under the impression that we do, but now that I
wanted to check, I'm having trouble finding the copyright owners
of the code.

The license is the Apache license (but without copyright holder
information), and the stdlib is part of the installers (which the
PSF has distribution rights to), but the IronPython runtime itself
only says: "Copyright (c) IronPython Team", so it's not clear what
distribution rights the PSF would have.

> Security-wise, it is very important to minimize the number of people who have 
> access to the
> certificate. Code signed with this certificate is basically given a free pass 
> by most virus scanners
> and security software.

I don't think that's a true statement. Decent virus scanners
will still scan the files for malicious content, even if signed.

It's true that minimizing the possible attack surface is always
preferred, though.

> If we decide to start signing IronPython with the PSF certificate, I'd be 
> most comfortable if I were
> doing the builds to avoid sharing the certificate any further than needed. 
> But that isn't going to
> scale when all the other interpreters want equal treatment.
> 
> I'm not sure exactly what the cost of the certificate is to the PSF, but it 
> may be an expense
> they're willing to take to get separate certs?

We can only get one code signing certificate per organization from
our certificate provider StartSSL.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Feb 10 2016)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...   http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...   http://zope.egenix.com/

2016-01-19: Released eGenix pyOpenSSL 0.13.13 ... http://egenix.com/go86

::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
  http://www.malemburg.com/

___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] New Authenticode certificate

2016-02-09 Thread Steve Dower 

On 09Feb2016 1030, M.-A. Lemburg wrote:

On 09.02.2016 18:41, Jeff Hardy wrote:

On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg  wrote:


To everyone: We now have a PSF code signing certificate.

I have sent the certificate to Steve for use in the Windows
installers. If other developers need to create signed
installers/code for Python, please let me know.



Hi Marc-Andre,
Would it be possible to use it for IronPython as well?


I don't know. Steve is using it as Authenticode certificate,

[SNIP]

It will certainly work for signing executables and msi
installers.

Perhaps Steve can help with this.



There are three aspects to this: technical, political and security.

Technically, yes IronPython could absolutely be signed with the same 
certificate.


Politically, it requires the PSF to be willing to put their name to the 
safety of the signed binaries and installers. Essentially, if/when 
something bad is done with or via something signed by the PSF, there is 
an implied responsibility (no idea how legally enforceable it is). I am 
not in a position to say whether or not this is okay for IronPython.


Security-wise, it is very important to minimize the number of people who 
have access to the certificate. Code signed with this certificate is 
basically given a free pass by most virus scanners and security software.


If we decide to start signing IronPython with the PSF certificate, I'd 
be most comfortable if I were doing the builds to avoid sharing the 
certificate any further than needed. But that isn't going to scale when 
all the other interpreters want equal treatment.


I'm not sure exactly what the cost of the certificate is to the PSF, but 
it may be an expense they're willing to take to get separate certs?


Cheers,
Steve
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] New Authenticode certificate

2016-02-09 Thread M.-A. Lemburg 
On 09.02.2016 18:41, Jeff Hardy wrote:
> On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg  wrote:
> 
>> To everyone: We now have a PSF code signing certificate.
>>
>> I have sent the certificate to Steve for use in the Windows
>> installers. If other developers need to create signed
>> installers/code for Python, please let me know.
>>
> 
> Hi Marc-Andre,
> Would it be possible to use it for IronPython as well?

I don't know. Steve is using it as Authenticode certificate,
which NuGet also seems to be planing to use:

http://blog.nuget.org/20150203/package-signing.html

but I have no experience with .NET code signing.

They also seem to have settled for a slightly different
approach since writing the above blog post:

https://github.com/aspnet/Signing/blob/dev/Spec.md

which doesn't look compatible with Authenticode.

It will certainly work for signing executables and msi
installers.

Perhaps Steve can help with this.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Feb 09 2016)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...   http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...   http://zope.egenix.com/

2016-01-19: Released eGenix pyOpenSSL 0.13.13 ... http://egenix.com/go86

::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
  http://www.malemburg.com/

___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] New Authenticode certificate

2016-02-09 Thread Jeff Hardy 
On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg  wrote:

> To everyone: We now have a PSF code signing certificate.
>
> I have sent the certificate to Steve for use in the Windows
> installers. If other developers need to create signed
> installers/code for Python, please let me know.
>

Hi Marc-Andre,
Would it be possible to use it for IronPython as well?

- Jeff
___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] New Authenticode certificate

2016-02-08 Thread M.-A. Lemburg 
To everyone: We now have a PSF code signing certificate.

I have sent the certificate to Steve for use in the Windows
installers. If other developers need to create signed
installers/code for Python, please let me know.

Thanks.

On 22.01.2016 10:44, M.-A. Lemburg wrote:
> On 21.01.2016 20:42, Steve Dower wrote:
>> On 21Jan2016 1031, M.-A. Lemburg wrote:
>>> I'm the one who handles the PSF StartSSL account and yes,
>>> they also do code signing certificates.
>>
>> Did they provide our current certificate? The root CA is VeriSign, not 
>> StartCom.
>>
>> I have no particular issue with changing CA, but I really don't want 
>> multiple PSF-labelled code
>> signing certificates floating around out there.
> 
> We have switched to StartSSL for most of our certificate needs.
> Some certs are also created using Gandi (for a few
> externally hosted python.org subdomains) or Digicert (for
> fastly cached domains):
> 
> https://wiki.python.org/psf/PSF%20SSL%20Certificates
> (you need a PSF wiki login to view the page)
> 
> The older Verisign ones were from before the PSF attempted to
> centralize the certificate management.
> 
> I'll send you the instructions on how to create a CSR for the
> cert offlist.
> 

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Feb 08 2016)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...   http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...   http://zope.egenix.com/


::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
  http://www.malemburg.com/

___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers

Re: [python-committers] New Authenticode certificate

2016-01-21 Thread M.-A. Lemburg 
On 21.01.2016 17:40, Steve Dower wrote:
> (I forget exactly who to contact about the certificate, so I'm going slightly 
> more broad.)
> 
> The PSF's certificate we use to sign binaries and the installer for Windows 
> is a SHA-1 certificate,
> which has been deprecated as of the start of the year: http://aka.ms/sha1
> 
> Already Windows may warn about the certificate on our current and past 
> releases, but because the
> signature is timestamped prior to 01Jan2016 it will not be blocked. However, 
> our next releases will
> be blocked (with a bypass available) unless we update the certificate to 
> SHA-2.
> 
> Some sources have suggested that CAs will provide a SHA-2 certificate for 
> free on request.
> 
> Supporting Windows Vista and Windows Server 2008 appears to be complicated, 
> according to the link I
> gave above. I want to test the effect of only signing with SHA-2 on those 
> platforms and make a
> recommendation based on that, rather than trying to guess what will happen 
> (those OSs did not block
> downloaded files as aggressively as Windows 7+).
> 
> Happy to take this off list once I know who handles this certificate.

I'm the one who handles the PSF StartSSL account and yes,
they also do code signing certificates.

I'd suggest to take this offlist.

Thanks,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Experts (#1, Jan 21 2016)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> Python Database Interfaces ...   http://products.egenix.com/
>>> Plone/Zope Database Interfaces ...   http://zope.egenix.com/


::: We implement business ideas - efficiently in both time and costs :::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
  http://www.malemburg.com/

___
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers