[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #3861 [Tor bundles/installation]: begin signing Windows packages the Windows way



#3861: begin signing Windows packages the Windows way
--------------------------------------+-------------------------------------
 Reporter:  erinn                     |          Owner:  erinn
     Type:  enhancement               |         Status:  new  
 Priority:  normal                    |      Milestone:       
Component:  Tor bundles/installation  |        Version:       
 Keywords:                            |         Parent:       
   Points:                            |   Actualpoints:       
--------------------------------------+-------------------------------------

Comment(by ioerror):

 Replying to [comment:2 rransom]:
 >
 > Distributing all of our packages as .exe files signed in this manner
 will do more harm than good to our users unless they check that each
 package is signed by the exact certificate which we use to sign packages.

 As I understand this discussion, we are trying to augment our signature
 system to reach platform and feature parity without a bootstrapping
 problem.

 gpg is the basic way signatures are created and verified on Free and Open
 source platforms such as Debian Gnu/Linux.

 On Windows gpg signature verification requires clients to download gpg and
 as far as I understand gpg packaging on Windows, a new problem appears and
 it is the same: How does the user verify the download of gpg? Practically,
 most users don't get this far but if they did, I don't believe they have a
 trust path to gpg either.

 The main goal here is to allow a potential user to find a trust path to
 *either* gpg or the win32 code signing valid key; in an ideal world they
 will verify the gpg signature - practically, they at least will have the
 ability to verify the windows signature if gpg is unavailable.

 As I understand how the packages are built and will continue to be built,
 the gpg signature will still sign the packages and inside the packages
 we'll have some kind of native platform signature.

 From where I stand, I think this only improves the security in theory and
 practically, we can now raise the bar for tampering with packages to
 owning a CA and/or faking a GPG trust path. This seems to be a much higher
 bar than is currently the case today.

 Erinn, does that sound about right?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3861#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs