I'm talking about Authenticode signing, where the binary contains signing and repudiation information. There are a couple problems with signing outside the binary:
1. The file itself doesn't contain any provenance information 2. There's no way to verify that the catalog file containing the MD5s is itself signed (or originated from a trusted source) This leaves alone the problem of using MD5, which is no longer useful for digital signature verification. Wikipedia's got a good writeup on why... http://en.wikipedia.org/wiki/MD5#Security My main reason for desiring this is summed up here: http://www.hanselman.com/blog/UsingCodeSigningCertificatesToSignDownloadedMSIsAndBuildReputationWithIE9SmartScreen.aspx Here's examples of the differences between signed and unsigned binaries: http://imgur.com/a/7xJK0 (I used a recently downloaded version of Firefox as an example.) Cream distro -- well, that one suffers from the same problem. I'd prefer to use the vim.org/Bram build of Vim if I can, since I can be sure it is fully up to date and doesn't have janky personal customizations and patches. Why does it take funds? Because not everyone can be a certificate authority. There is a chain of trust that originates in the set of root certificates installed on everyone's machines, and self-signed certs must be manually added on every machine that wants to trust that author is who he or she claims they are. Philip On Mon, Jan 2, 2012 at 5:48 PM, Tony Mechelynck < [email protected]> wrote: > On 03/01/12 00:11, Philip Taron wrote: > >> Hey all, >> >> I noticed for some time now that the official Vim binaries distributed >> on vim.org for Windows users aren't digitally signed. >> >> Is this due to lack of funds, lack of desire, technical limitations, >> or personal choice? >> >> If it is lack of funds, I'd like to donate so this could happen. >> >> Philip >> >> > IIUC, Bram's binaries are (outdated but) signed: see either of the MD5 and > MD5SUMS files in the ftp://ftp.vim.org/pub/vim/pc/ directory. > > If youwant an up-to-date Vim for Windows, I recommend Steve Hall's "Vim > without Cream", > http://sourceforge.net/**projects/cream/files/Vim/<http://sourceforge.net/projects/cream/files/Vim/>— > that one doesn't seem to be signed but is it Steve's or SourceForge's > policy? > > > Best regards, > Tony. > -- > God is a comic playing to an audience that's afraid to laugh. > -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php
