[Python-Dev] Do we need to sign Windows files with GnuPG?

Fri, 03 Apr 2015 02:59:15 -0700 



As of Python 3.5 Steve Dower has taken over the Windows builds of Python 
from Martin van Loewis.  He's also taken over for 2.7--though Martin's 
still doing builds for 3.4.



For both versions, Steve is using all-new tooling for the build 
process.  The output is different, too; he's producing .exe installers 
instead of .msi installers, and he has snazzy new "web-based" installers 
where the initial download is small, then it downloads the rest dynamically.



Steve's also changed the authentication process.  His new installers 
rely on a Windows digital signature technology called Authenticode where 
the signature is built right into the .exe file.  Windows platforms will 
automatically authenticate executables signed with Authenticode, so this 
is both secure and convenient.



Martin's build process also digitally signed the files he built, but not 
using Authenticode (or at least I don't think so).  Like the Mac and 
source code releases, his automation used GnuPG to produce separate 
".asc" files containing digital signatures.  This meant authentication 
was a manual process.



The Authenticode approach sounds great.  But there are advantages to the 
GnuPG approach too:


 * Using GnuPG means we can authenticate the files from any platform,
   not just Windows.  If there were a security breach on the Python
   content delivery network, any developer could get GnuPG for their
   platform and authenticate that the installers are unmodified.  If we
   use Authenitcode,
 * GnuPG is agnostic about the data it digitally signs.  So, for
   example, Martin's build process digitally signs the Windows help
   file--the ".chm" file--produced by his build process.  The help file
   Steve builds is currently completely unsigned; Steve says he can try
   signing it but he's not sure it'll work.  Note that .chm files
   actually /can/ contain live code, so this is at least a plausible
   vector for attack.



My Windows development days are firmly behind me.  So I don't really 
have an opinion here.  So I put it to you, Windows Python developers: do 
you care about GnuPG signatures on Windows-specific files?  Or do you 
not care?



//arry/


p.s. And, of course, my thanks to both Steve and Martin for their past 
and continuing service to the Python community!  It's a pleasure working 
with each of them.  (Both of them?  I forget how English works.)

_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com






















					Reply via email to