Signing extensions

[Roger Binns]

I would like to digitally sign the open source Python extensions I produce.
I produce source code (zip file) as well as pre-built binaries for Windows
(all Python versions from 2.3 to 3.1).

I can sign the source using my PGP key no problem. I could also sign the
Windows binaries that way but Windows users are unlikely to have PGP and the
Google code downloads page would look even worse having another 8 or 9 .asc
files.

The Windows Python distribution is signed by PGP and the normal Microsoft
way using a Verisign class 3 cert. (If you read their issuer statement it
ultimately says the cert isn't worth the bits it is printed on One of
those certs is $500 per year which is out of the question for me.

Does anyone have any other suggestions? Has the PSF considered running a
certificate authority for extension developers, and other Python developers
for that matter?

Roger

 

[Neil Hodgson]

Roger Binns:

The Windows Python distribution is signed by PGP and the normal Microsoft
way using a Verisign class 3 cert. (If you read their issuer statement it
ultimately says the cert isn't worth the bits it is printed on One of
those certs is $500 per year which is out of the question for me.

Code signing certificates that will be be valid for Windows
Authenticode cost $129 per year through CodeProject

http://www.codeproject.com/services/certificates/index.aspx

Does anyone have any other suggestions? Has the PSF considered running a
certificate authority for extension developers, and other Python developers
for that matter?

I'd like to see a certificate authority for open source projects
based mainly on project reputation and longevity. There may need to be
some payment to avoid flooding the CA with invalid requests - say $30
per year. It would be great if this CA was recognised by Microsoft and
Apple as well as Linux and BSD distributions.

There are some issues about identity here. Should the certificate be
for the project, an individual, or an individual within a project? You
want to know that PyExt1 comes from the genuine Ext1 project but the
build will commonly be initiated by an individual who may later be found
to be malicious. The Ext1 project should be able to revoke "Mal Icious
of Ext1" and have future releases signed by "Trust Worthy of Ext1".

Neil

 

[Roger Binns]

Code signing certificates that will be be valid for Windows
Authenticode cost $129 per year through CodeProject

That isn't an amount I am prepared to pay either (I don't even use
Windows except as a glorified boot loader for Rise of Nations and to build
Python extensions.) With the amount of hassle it causes me, I should be
paid for the development time spent on Windows issues!

I'd like to see a certificate authority for open source projects
based mainly on project reputation and longevity. There may need to be
some payment to avoid flooding the CA with invalid requests - say $30
per year. It would be great if this CA was recognised by Microsoft and
Apple as well as Linux and BSD distributions.

It can also be solved as low down as Python itself, as opposed to open
source in general. The Python installation could install a root CA for the
PSF certifying authority although I suspect you can't then limit its use to
only Python extensions. (I still find it amusing that the browser will
silently accept certificates from any of the ~100 CAs that come with it.
Your identity proof is only as strong as the weakest CA in the list, not the
strongest.)

It could also be solved by the download sites. For example Google Code does
allow you to visit it via https and even displays the download page over
https, but the downloads are over http. If it occurred to you then you can
click on the "Summary+Labels" for an item where they show the SHA1 of the
file, but that is even more hassle for most users.

There are some issues about identity here.

You don't really need to worry about maliciousness. Ultimately that will
come down to reputation. I am more concerned about download sites being
hacked or malicious proxies being inserted into the network somewhere. It
is good enough to be able to establish if this new version of the extension
was produced by the same person as the previous version I have installed.
PGP works wonderfully for that, except for Windows where no one has it.

The Ext1 project should be able to revoke ...

That is pretty trivial to do if using regular CAs and OCSP. Of course
someone still has to decide if the claim of maliciousness is correct or a
joe job.

Roger