On 22 June 2012 13:09, Vinay Sajip <vinay_sa...@yahoo.co.uk> wrote: > Paul Moore <p.f.moore <at> gmail.com> writes: > >> Signed binaries may be a solution. My experience with signed binaries >> has not been exactly positive, but it's an option. Presumably PyPI >> would be the trusted authority? Would PyPI and the downloaders need to >> use SSL? Would developers need to have signing keys to use PyPI? And >> more to the point, do the people designing the packaging solutions >> have experience with this sort of stuff (I sure don't )? > > I'm curious - what problems have you had with signed binaries?
As a user, I guess not that much. I may be misremembering bad experiences with different things. We've had annoyances with self-signed jars, and websites. It's generally more about annoying "can't confirm this should be trusted, please verify" messages which people end up just saying "yes" to (and so ruining any value from the check). But I don't know how often I have used them, to the extent that the only time I'm aware of them is when they don't work silently (e.g., I get a prompt asking if I want to trust this publisher - this is essentially a failure, as I always say "yes" simply because I have no idea how I would go about deciding that I do trust them, beyond what I've already done in locating and downloading the software from them!) > I dipped my toes > in this particular pool with the Python launcher installers - I got a code > signing certificate and signed my MSIs with it. The process was fairly > painless. OK, that's a good example, I didn't even realise those installers were signed, making it an excellent example of how easy it can be when it works. But you say "I got a code signing certificate". How? When I dabbled with signing, the only option I could find that didn't involve paying and/or having a registered domain of my own was a self-signed certificate, which from a UI point of view seems of little use "Paul Moore says you should trust him. Do you? Yes/No"... If signed binaries is the way we go, then we should be aware that we exclude people who don't have certificates from uploading to PyPI. Maybe that's OK, but without some sort of check I don't know how many current developers that would exclude, let alone how many potential developers would be put off. A Python-supported build farm, which signed code on behalf of developers, might alleviate this. But then we need to protect against malicious code being submitted to the build farm, etc. > As far as I know, all signing does is to indicate that the binary package > hasn't > been tampered with and allows the downloader to decide whether they trust the > signer not to have allowed backdoors, etc. I don't see that it mandates use of > SSL, or even signing, by anyone. At least some people will require that an > installer be invokable with an option that causes it to bail if any part of > what's being installed can't be verified (for some value of "verified"). Fair enough. I don't object to offering the option to verify signatures (I think I said something like that in an earlier message). I do have concerns about making signed code mandatory. (Not least over whether it'd let me install my own unsigned code!) Paul _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
