[Issue 16065] Provide digitally signed binaries for Windows

May 23, 2016

James King

May 24, 2016

Sobirari Muhomori

May 25, 2016

May 26, 2016

May 26, 2016

Jun 07, 2016

Jun 08, 2016

Jun 10, 2016

Nov 03, 2019

Mar 21, 2020

https://issues.dlang.org/show_bug.cgi?id=16065 James King <1337@lwshost.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |1337@lwshost.com --

https://issues.dlang.org/show_bug.cgi?id=16065 --- Comment #1 from Sobirari Muhomori <dfj1esp02@sneakemail.com> --- Signature on binaries can be forged in the same way: obtain a valid certificate with a similar CN and use it. --

https://issues.dlang.org/show_bug.cgi?id=16065 --- Comment #2 from James King <1337@lwshost.com> --- It would be nice if there was something akin to a "D Language Foundation" certificate issued by VeriSign or equivalent. The difficulty and effort required to compromise (or "compromise") both the delivery mechanism (https://downloads.dlang.org) and the delivery package (the signed executable) become significantly harder with each added security mechanism. --

https://issues.dlang.org/show_bug.cgi?id=16065 --- Comment #3 from Sobirari Muhomori <dfj1esp02@sneakemail.com> --- A more reliable mechanism would be a PGP signature. If you check against only one key, it will be equivalent to key pinning. Oh, and the ultimate security is to build everything from source. --

May 26, 2016

[Issue 16065] Provide digitally signed binaries for Windows

Posted by b2.temp@gmx.com

Permalink

b2.temp@gmx.com

Permalink

https://issues.dlang.org/show_bug.cgi?id=16065

b2.temp@gmx.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |b2.temp@gmx.com

--- Comment #4 from b2.temp@gmx.com ---
"-4" for the windows certificate because

- It is not free. It's a commercial system, e.g there are companies whose buisness it to sell them.

- Companies who deliver them for free do it only for FOSS. but DMD is not fully FOSS.

- This system usually just reassures people who know nothing to software but since DMD are dedicated to programmers this is not useful at all.

- This system means nothing unless the software checks itself for the certificate at run-time (e.g windows only checks on execution if the UAC is toggled on).

Windows certificates are just a trick invented in the early 2010's to steal the money of the developers. The impact on the secutity is very low since this system would have been useful ten years before (early 2000's, XP, the freeware galore, ...) when Windows was still the main platform used as malware vector.

I would advice you not to lose time to obtain that DMD, the tools and the installer, get signed. ;)

--

https://issues.dlang.org/show_bug.cgi?id=16065 --- Comment #5 from James King <1337@lwshost.com> --- PGP signatures work fine for *nix systems, but this requires either compiling PGP from source for windows, or finding some other distributor of PGP binaries for windows before you can even run the check. To add to that, PGP signatures must also be delivered over HTTPS, and even then, again, the only barrier to supplying a bad binary is to gain access to the web server. On the other hand, with signed code, an attacker has to compromise both the web server (delivery mechanism) and go through the process of obtaining a code signing key that looks legitimate enough from a CA that issues them. Not the necessarily the hardest problem, but it's a two step process. I will agree that it is disappointing that the pricing is as steep as it is ($84 to $800 depending on the vendor, per year) but I would argue that the lower end is a manageable price if it helps prevent bad binaries from being distributed. The ones I found on the lower end were Comodo (directly and indirectly), GoDaddy, GlobalSign, and DigiCert. --

https://issues.dlang.org/show_bug.cgi?id=16065 --- Comment #6 from Sobirari Muhomori <dfj1esp02@sneakemail.com> --- (In reply to James King from comment #5) > To add to that, PGP signatures must also be delivered over HTTPS AFAIK, they can be delivered over HTTP just fine. It's a key property of a digital signature that it can't be realistically forged because of math behind cryptography. > and even then, again, the > only barrier to supplying a bad binary is to gain access to the web server. The signature doesn't prevent supplying a bad binary from the web server. It prevents running the bad binary if the user checks the signature and pays attention to the failed check and decides to not run it. --

https://issues.dlang.org/show_bug.cgi?id=16065 --- Comment #7 from Sobirari Muhomori <dfj1esp02@sneakemail.com> --- BTW looks like distribution archives are already signed, see keys at https://dlang.org/gpg_keys.html --

https://issues.dlang.org/show_bug.cgi?id=16065 Basile-z <b2.temp@gmx.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WORKSFORME --- Comment #8 from Basile-z <b2.temp@gmx.com> --- being done since a full year or so now. --

Forums