On Mon, Dec 8, 2014 at 9:29 PM, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > I don't know if this is helpful or not. I'm not in a position to check. > > Thinking out loud: > > There are two cases of signatures. > > 1. Digital signing of installable components, such as DLLs and such. This > is also important but a second-order problem. > > 2. Digital signing of the installer binary (the .EXE). That or shipping a > signed .MSI. > This is more important. It has to do with raising the confidence in > downloads and installs and is of immediate benefit. > > It *may* be the case that the installer binary .EXE already has room in the > file for a signature and it is simply not being used. The properties on the > binary .EXE are also not filled in for AOO 4.1.1 en-US. Those are the ones > that show a File description, File version, Product name, Product version, > Copyright, Language, etc. > > It might be worthwhile to see if the properties and signature can be injected > in the .EXE already. And if not, it may be possible to rebuild the .EXE, > since the bits are still around. They are what are extracted into a folder > which is then used for running setup. > > If feasible, this strikes me as a perfectly worthwhile exercise for > slip-streaming a signed binary of AOO 4.1.1 for Windows. As Andrea remarks, > It would also be a right-sized teething exercise for our learning how to work > through the signing process. >
I'm rather pessimistic. Here's what I see as the main user annoyances related the integrity of AOO downloads: 1) Scams that ask for payment and then redirect to genuine versions of AOO. So the user has lost before they even download a single byte of our package. Signing will not help them, 2) Scams that wrap AOO's installer with an "installer" or similar app that takes the user through a complicated set of screens to accept various "offers" that result in adware/malware/badware being installed. Only then does it chain to the genuine AOO install. Again, signing doesn't help the user. 3) Download pages that offer genuine AOO downloads, but the page is filled with other advertisements that lure the user into clicking them, some which even claim they are the AOO download. Signing doesn't help the user much here. Note that in all of these cases, the bad code, the installer/wrapper code could have a digital signature as well. So user education -- don't run unsigned code -- doesn't really solve the problem here as well. 4) Annoyance of users who download genuine AOO from our website and need to deal with extra mouse clicks to dismiss warning dialogs from the browser, OS, antivirus, etc. This is the main thing signing fixes. This is worth doing, I think, for benefit #4. But by itself it doesn't really drain the swamp. Note in particular that I have not seen someone actually modify the AOO code or installer to make malware. Signing would help with that, if it happened. But today there are far easier scams. Regards, -Rob > I'm all for starting with the least that could possibly work, even though I > have no expertise on this. > > - Dennis > > -----Original Message----- > From: Andrea Pescetti [mailto:pesce...@apache.org] > Sent: Monday, December 8, 2014 15:08 > To: dev@openoffice.apache.org > Subject: Re: Budapest and thereafter. > > Marcus wrote: >> Am 12/08/2014 02:32 PM, schrieb Andrea Pescetti: >>> We could actually do both, if you believe it makes sense: >>> - signed 4.1.1 (next Windows binaries only) by end of December >>> - 4.1.2 in January >> IMHO this doesn't make sense and would be just a waste of resources, >> when doing 2 releases in such a short time frame. >> But I would tend to do only the bigger release (4.1.2) - let's say in >> January/February. When ... > > Honestly, Infra would like (and they are right) that after asking for > years for digital signing, we actually use it. We can't put many > obstacles in front of it. So a long list of things that we must have > ready before that won't work. Signing Windows binaries will have to > happen, and users will benefit from it in terms of trust in OpenOffice. > > Assuming that more or less we can master the technology, distributing > the 4.1.1 signed binaries is not a huge feat for us (it would need > production of the new binaries and their upload to a new directory like > "windows-signed" and defaulting to "windows-signed" in the JavaScript in > the download page). It is far less than a release and at least it could > show that on this (new for OpenOffice) topic we are ready. > > In case I wasn't clear (and this is my fault for not summarizing the > Budapest talks correctly) signed binaries have high priority. One way is > to make a 4.1.2 release and sign it, and this requires going through the > whole process (no, it can't be a Windows-only release). Another way is > to ship a signed version of the existing 4.1.1 binaries as a "warm up" > for the moment when this will be integral part of the release process. > > Regards, > Andrea. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org > For additional commands, e-mail: dev-h...@openoffice.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
