So, AFAIU from this discussion: * Authenticode does not have a PKI * GPG does have PKI * ASC signatures are signed checksums As far as downstream packaging on Windows (people who should/could be subscribed to release ANNs): For Choclatey NuGet: * https://chocolatey.org/packages/python * https://chocolatey.org/packages/python.x86 * https://chocolatey.org/packages/python2 * https://chocolatey.org/packages/python-x86_32 * https://chocolatey.org/packages/python3 Python(x,y): * https://code.google.com/p/pythonxy/ For Anaconda (the MS Azure chosen python distribution): * http://docs.continuum.io/anaconda/install.html#windows-install ... These should/could/are checking GPG signatures for Windows packages downstream. http://www.scipy.org/install.html On Apr 3, 2015 5:38 PM, "M.-A. Lemburg" <mal at egenix.com> wrote: > On 04.04.2015 00:14, Steve Dower wrote: > > The thing is, that's exactly the same goodness as Authenticode gives, > except everyone gets that for free and meanwhile you're the only one who > has admitted to using GPG on Windows :) > > > > Basically, what I want to hear is that GPG sigs provide significantly > better protection than hashes (and I can provide better than MD5 for all > files if it's useful), taking into consideration that (I assume) I'd have > to obtain a signing key for GPG and unless there's a CA involved like there > is for Authenticode, there's no existing trust in that key. > > Hashes only provide checks against file corruption (and then > only if you can trust the hash values). GPG provides all the > benefits of public key encryption on arbitrary files (not just > code). > > The main benefit in case of downloadable installers is to > be able to make sure that the files are authentic, meaning that > they were created and signed by the people listed as packagers. > > There is no CA infrastructure involved as for SSL certificates > or Authenticode, but it's easy to get the keys from key servers > given the key signatures available from python.org's download > pages. > > If you want to sign a package file using GPG, you will need > to create your own key, upload it to the key servers and then > place the signature up on the download page. > > Relying only on Authenticode for Windows installers would > result in a break in technology w/r to the downloads we > make available for Python, since all other files are (usually) > GPG signed: > > https://www.python.org/ftp/python/3.4.3/ > > Cheers, > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source > >>> Python/Zope Consulting and Support ... http://www.egenix.com/ > >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ > >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > > ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > > > > Cheers, > > Steve > > > > Top-posted from my Windows Phone > > ________________________________ > > From: M.-A. Lemburg<mailto:mal at egenix.com> > > Sent: 4/3/2015 10:55 > > To: Steve Dower<mailto:Steve.Dower at microsoft.com>; Larry > Hastings<mailto:larry at hastings.org>; Python Dev<mailto: > python-dev at python.org>; python-committers<mailto: > python-committers at python.org> > > Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows > files with GnuPG? > > > > On 03.04.2015 19:35, Steve Dower wrote: > >>> My Windows development days are firmly behind me. So I don't really > have an > >>> opinion here. So I put it to you, Windows Python developers: do you > care about > >>> GnuPG signatures on Windows-specific files? Or do you not care? > >> > >> The later replies seem to suggest that they are general goodness that > nobody on Windows will use. If someone convinces me (or steamrolls me, > that's fine too) that the goodness of GPG is better than a hash then I'll > look into adding it into the process. Otherwise I'll happily add hash > generation into the upload process (which I'm going to do anyway for the > ones displayed on the download page). > > > > FWIW: I regularly check the GPG sigs on all important downloaded > > files, regardless of which platform they target, including the > > Windows installers for Python or any other Windows installers > > I use which provide such sigs. > > > > The reason is simple: > > The signature is a proof of authenticity which is not bound to > > a particular file format or platform and before running .exes > > it's good to know that they were built by the right people and > > not manipulated by trojans, viruses or malicious proxies. > > > > Is that a good enough reason to continue providing the GPG > > sigs or do you need more proof of goodness ? ;-) > > > > -- > > Marc-Andre Lemburg > > eGenix.com > > > > Professional Python Services directly from the Source > >>>> Python/Zope Consulting and Support ... http://www.egenix.com/ > >>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ > >>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > > ________________________________________________________________________ > > > > ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: > > > > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > > Registered at Amtsgericht Duesseldorf: HRB 46611 > > http://www.egenix.com/company/contact/ > > > > _______________________________________________ > Python-Dev mailing list > Python-Dev at python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20150404/b3dd43e4/attachment.html>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4