On 04.04.2015 21:02, Kurt B. Kaiser wrote: > For the record, that is a Symantec/Verisign code signing certificate. We > paid $1123 for it last April. It expires April 2017. > > If you don't switch to a different vendor, e.g. startssl, please contact > me for renewal in 2017.
FWIW: The PSF mostly uses StartSSL nowadays and they also support code signing certificates. Given that this option is a lot cheaper than Verisign, I think we should switch, unless there are significant reasons not to. We should revisit this in 2017. > KBK > > On Sat, Apr 4, 2015, at 10:35 AM, Steve Dower wrote: >> Small clarification: there certificates *are* the same format as for SSL, >> and OpenSSL it's able to validate them in the same way as well as >> generate them (but not extract embedded ones, AFAICT). But generally SSL >> certificates are not marked as suitable for code signing so you need to >> buy a separate one. >> >> Both Martin and I have the PSF's code signing cert private key, which is >> how we can sign with the "Python Software Foundation" name. The public >> key is embedded into every signed file, just like an SSL cert is attached >> to a site or an S/MIME cert is embedded in a signed email. >> >> Cheers, >> Steve >> >> Top-posted from my Windows Phone >> ________________________________ >> From: Steve Dower<mailto:steve.do...@microsoft.com> >> Sent: 4/4/2015 7:25 >> To: Wes Turner<mailto:wes.tur...@gmail.com>; M. -A. >> Lemburg<mailto:m...@egenix.com> >> Cc: python-committers<mailto:python-committ...@python.org>; >> Python-Dev<mailto:python-dev@python.org> >> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows >> files with GnuPG? >> >> "Authenticode does not have a PKI" >> >> If you got that from this discussion, I need everyone to at least skim >> read this: >> https://msdn.microsoft.com/en-us/library/ie/ms537361(v=vs.85).aspx >> >> Authenticode uses the same certificate infrastructure as SSL (note: not >> the same certificates). As I see it, anyone running on Windows has access >> to verification that is at least as good as GPG, and the only people who >> would benefit from GPG sigs are those checking Windows files on another >> OS or those with an existing GPG workflow on Windows (before this thread, >> I knew nobody who used GPG on Windows for anything, so forgive me for >> thinking this is very rare). >> >> Cheers, >> Steve >> >> Top-posted from my Windows Phone >> ________________________________ >> From: Wes Turner<mailto:wes.tur...@gmail.com> >> Sent: 4/4/2015 6:42 >> To: M. -A. Lemburg<mailto:m...@egenix.com> >> Cc: Python-Dev<mailto:python-dev@python.org>; >> python-committers<mailto:python-committ...@python.org>; Larry >> Hastings<mailto:la...@hastings.org>; Steve >> Dower<mailto:steve.do...@microsoft.com> >> Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows >> files with GnuPG? >> >> >> So, AFAIU from this discussion: >> >> * Authenticode does not have a PKI >> * GPG does have PKI >> * ASC signatures are signed checksums >> >> As far as downstream packaging on Windows (people who should/could be >> subscribed to release ANNs): >> >> For Choclatey NuGet: >> >> * https://chocolatey.org/packages/python >> * https://chocolatey.org/packages/python.x86 >> * https://chocolatey.org/packages/python2 >> * https://chocolatey.org/packages/python-x86_32 >> * https://chocolatey.org/packages/python3 >> >> Python(x,y): >> >> * https://code.google.com/p/pythonxy/ >> >> For Anaconda (the MS Azure chosen python distribution): >> >> * http://docs.continuum.io/anaconda/install.html#windows-install >> >> ... >> >> These should/could/are checking GPG signatures for Windows packages >> downstream. >> >> http://www.scipy.org/install.html >> >> On Apr 3, 2015 5:38 PM, "M.-A. Lemburg" >> <m...@egenix.com<mailto:m...@egenix.com>> wrote: >> On 04.04.2015 00:14, Steve Dower wrote: >>> The thing is, that's exactly the same goodness as Authenticode gives, >>> except everyone gets that for free and meanwhile you're the only one who >>> has admitted to using GPG on Windows :) >>> >>> Basically, what I want to hear is that GPG sigs provide significantly >>> better protection than hashes (and I can provide better than MD5 for all >>> files if it's useful), taking into consideration that (I assume) I'd have >>> to obtain a signing key for GPG and unless there's a CA involved like there >>> is for Authenticode, there's no existing trust in that key. >> >> Hashes only provide checks against file corruption (and then >> only if you can trust the hash values). GPG provides all the >> benefits of public key encryption on arbitrary files (not just >> code). >> >> The main benefit in case of downloadable installers is to >> be able to make sure that the files are authentic, meaning that >> they were created and signed by the people listed as packagers. >> >> There is no CA infrastructure involved as for SSL certificates >> or Authenticode, but it's easy to get the keys from key servers >> given the key signatures available from python.org<http://python.org>'s >> download >> pages. >> >> If you want to sign a package file using GPG, you will need >> to create your own key, upload it to the key servers and then >> place the signature up on the download page. >> >> Relying only on Authenticode for Windows installers would >> result in a break in technology w/r to the downloads we >> make available for Python, since all other files are (usually) >> GPG signed: >> >> https://www.python.org/ftp/python/3.4.3/ >> >> Cheers, >> -- >> Marc-Andre Lemburg >> eGenix.com >> >> Professional Python Services directly from the Source >>>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >> ________________________________________________________________________ >> >> ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: >> >> >> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >> Registered at Amtsgericht Duesseldorf: HRB 46611 >> http://www.egenix.com/company/contact/ >> >> >>> Cheers, >>> Steve >>> >>> Top-posted from my Windows Phone >>> ________________________________ >>> From: M.-A. Lemburg<mailto:m...@egenix.com<mailto:m...@egenix.com>> >>> Sent: 4/3/2015 10:55 >>> To: Steve >>> Dower<mailto:steve.do...@microsoft.com<mailto:steve.do...@microsoft.com>>; >>> Larry Hastings<mailto:la...@hastings.org<mailto:la...@hastings.org>>; >>> Python Dev<mailto:python-dev@python.org<mailto:python-dev@python.org>>; >>> python-committers<mailto:python-committ...@python.org<mailto:python-committ...@python.org>> >>> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows >>> files with GnuPG? >>> >>> On 03.04.2015 19:35, Steve Dower wrote: >>>>> My Windows development days are firmly behind me. So I don't really have >>>>> an >>>>> opinion here. So I put it to you, Windows Python developers: do you care >>>>> about >>>>> GnuPG signatures on Windows-specific files? Or do you not care? >>>> >>>> The later replies seem to suggest that they are general goodness that >>>> nobody on Windows will use. If someone convinces me (or steamrolls me, >>>> that's fine too) that the goodness of GPG is better than a hash then I'll >>>> look into adding it into the process. Otherwise I'll happily add hash >>>> generation into the upload process (which I'm going to do anyway for the >>>> ones displayed on the download page). >>> >>> FWIW: I regularly check the GPG sigs on all important downloaded >>> files, regardless of which platform they target, including the >>> Windows installers for Python or any other Windows installers >>> I use which provide such sigs. >>> >>> The reason is simple: >>> The signature is a proof of authenticity which is not bound to >>> a particular file format or platform and before running .exes >>> it's good to know that they were built by the right people and >>> not manipulated by trojans, viruses or malicious proxies. >>> >>> Is that a good enough reason to continue providing the GPG >>> sigs or do you need more proof of goodness ? ;-) >>> >>> -- >>> Marc-Andre Lemburg >>> eGenix.com >>> >>> Professional Python Services directly from the Source >>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >>> ________________________________________________________________________ >>> >>> ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: >>> >>> >>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >>> Registered at Amtsgericht Duesseldorf: HRB 46611 >>> http://www.egenix.com/company/contact/ >>> >> >> _______________________________________________ >> Python-Dev mailing list >> Python-Dev@python.org<mailto:Python-Dev@python.org> >> https://mail.python.org/mailman/listinfo/python-dev >> Unsubscribe: >> https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com >> _______________________________________________ >> python-committers mailing list >> python-committ...@python.org >> https://mail.python.org/mailman/listinfo/python-committers > _______________________________________________ > python-committers mailing list > python-committ...@python.org > https://mail.python.org/mailman/listinfo/python-committers > -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com