For the record, that is a Symantec/Verisign code signing certificate. We paid $1123 for it last April. It expires April 2017.
If you don't switch to a different vendor, e.g. startssl, please contact me for renewal in 2017. KBK On Sat, Apr 4, 2015, at 10:35 AM, Steve Dower wrote: > Small clarification: there certificates *are* the same format as for SSL, > and OpenSSL it's able to validate them in the same way as well as > generate them (but not extract embedded ones, AFAICT). But generally SSL > certificates are not marked as suitable for code signing so you need to > buy a separate one. > > Both Martin and I have the PSF's code signing cert private key, which is > how we can sign with the "Python Software Foundation" name. The public > key is embedded into every signed file, just like an SSL cert is attached > to a site or an S/MIME cert is embedded in a signed email. > > Cheers, > Steve > > Top-posted from my Windows Phone > ________________________________ > From: Steve Dower<mailto:steve.do...@microsoft.com> > Sent: 4/4/2015 7:25 > To: Wes Turner<mailto:wes.tur...@gmail.com>; M. -A. > Lemburg<mailto:m...@egenix.com> > Cc: python-committers<mailto:python-committ...@python.org>; > Python-Dev<mailto:python-dev@python.org> > Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows > files with GnuPG? > > "Authenticode does not have a PKI" > > If you got that from this discussion, I need everyone to at least skim > read this: > https://msdn.microsoft.com/en-us/library/ie/ms537361(v=vs.85).aspx > > Authenticode uses the same certificate infrastructure as SSL (note: not > the same certificates). As I see it, anyone running on Windows has access > to verification that is at least as good as GPG, and the only people who > would benefit from GPG sigs are those checking Windows files on another > OS or those with an existing GPG workflow on Windows (before this thread, > I knew nobody who used GPG on Windows for anything, so forgive me for > thinking this is very rare). > > Cheers, > Steve > > Top-posted from my Windows Phone > ________________________________ > From: Wes Turner<mailto:wes.tur...@gmail.com> > Sent: 4/4/2015 6:42 > To: M. -A. Lemburg<mailto:m...@egenix.com> > Cc: Python-Dev<mailto:python-dev@python.org>; > python-committers<mailto:python-committ...@python.org>; Larry > Hastings<mailto:la...@hastings.org>; Steve > Dower<mailto:steve.do...@microsoft.com> > Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows > files with GnuPG? > > > So, AFAIU from this discussion: > > * Authenticode does not have a PKI > * GPG does have PKI > * ASC signatures are signed checksums > > As far as downstream packaging on Windows (people who should/could be > subscribed to release ANNs): > > For Choclatey NuGet: > > * https://chocolatey.org/packages/python > * https://chocolatey.org/packages/python.x86 > * https://chocolatey.org/packages/python2 > * https://chocolatey.org/packages/python-x86_32 > * https://chocolatey.org/packages/python3 > > Python(x,y): > > * https://code.google.com/p/pythonxy/ > > For Anaconda (the MS Azure chosen python distribution): > > * http://docs.continuum.io/anaconda/install.html#windows-install > > ... > > These should/could/are checking GPG signatures for Windows packages > downstream. > > http://www.scipy.org/install.html > > On Apr 3, 2015 5:38 PM, "M.-A. Lemburg" > <m...@egenix.com<mailto:m...@egenix.com>> wrote: > On 04.04.2015 00:14, Steve Dower wrote: > > The thing is, that's exactly the same goodness as Authenticode gives, > > except everyone gets that for free and meanwhile you're the only one who > > has admitted to using GPG on Windows :) > > > > Basically, what I want to hear is that GPG sigs provide significantly > > better protection than hashes (and I can provide better than MD5 for all > > files if it's useful), taking into consideration that (I assume) I'd have > > to obtain a signing key for GPG and unless there's a CA involved like there > > is for Authenticode, there's no existing trust in that key. > > Hashes only provide checks against file corruption (and then > only if you can trust the hash values). GPG provides all the > benefits of public key encryption on arbitrary files (not just > code). > > The main benefit in case of downloadable installers is to > be able to make sure that the files are authentic, meaning that > they were created and signed by the people listed as packagers. > > There is no CA infrastructure involved as for SSL certificates > or Authenticode, but it's easy to get the keys from key servers > given the key signatures available from python.org<http://python.org>'s > download > pages. > > If you want to sign a package file using GPG, you will need > to create your own key, upload it to the key servers and then > place the signature up on the download page. > > Relying only on Authenticode for Windows installers would > result in a break in technology w/r to the downloads we > make available for Python, since all other files are (usually) > GPG signed: > > https://www.python.org/ftp/python/3.4.3/ > > Cheers, > -- > Marc-Andre Lemburg > eGenix.com > > Professional Python Services directly from the Source > >>> Python/Zope Consulting and Support ... http://www.egenix.com/ > >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ > >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > ________________________________________________________________________ > > ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > Registered at Amtsgericht Duesseldorf: HRB 46611 > http://www.egenix.com/company/contact/ > > > > Cheers, > > Steve > > > > Top-posted from my Windows Phone > > ________________________________ > > From: M.-A. Lemburg<mailto:m...@egenix.com<mailto:m...@egenix.com>> > > Sent: 4/3/2015 10:55 > > To: Steve > > Dower<mailto:steve.do...@microsoft.com<mailto:steve.do...@microsoft.com>>; > > Larry Hastings<mailto:la...@hastings.org<mailto:la...@hastings.org>>; > > Python Dev<mailto:python-dev@python.org<mailto:python-dev@python.org>>; > > python-committers<mailto:python-committ...@python.org<mailto:python-committ...@python.org>> > > Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows > > files with GnuPG? > > > > On 03.04.2015 19:35, Steve Dower wrote: > >>> My Windows development days are firmly behind me. So I don't really have > >>> an > >>> opinion here. So I put it to you, Windows Python developers: do you care > >>> about > >>> GnuPG signatures on Windows-specific files? Or do you not care? > >> > >> The later replies seem to suggest that they are general goodness that > >> nobody on Windows will use. If someone convinces me (or steamrolls me, > >> that's fine too) that the goodness of GPG is better than a hash then I'll > >> look into adding it into the process. Otherwise I'll happily add hash > >> generation into the upload process (which I'm going to do anyway for the > >> ones displayed on the download page). > > > > FWIW: I regularly check the GPG sigs on all important downloaded > > files, regardless of which platform they target, including the > > Windows installers for Python or any other Windows installers > > I use which provide such sigs. > > > > The reason is simple: > > The signature is a proof of authenticity which is not bound to > > a particular file format or platform and before running .exes > > it's good to know that they were built by the right people and > > not manipulated by trojans, viruses or malicious proxies. > > > > Is that a good enough reason to continue providing the GPG > > sigs or do you need more proof of goodness ? ;-) > > > > -- > > Marc-Andre Lemburg > > eGenix.com > > > > Professional Python Services directly from the Source > >>>> Python/Zope Consulting and Support ... http://www.egenix.com/ > >>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ > >>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ > > ________________________________________________________________________ > > > > ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: > > > > > > eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 > > D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg > > Registered at Amtsgericht Duesseldorf: HRB 46611 > > http://www.egenix.com/company/contact/ > > > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org<mailto:Python-Dev@python.org> > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com > _______________________________________________ > python-committers mailing list > python-committ...@python.org > https://mail.python.org/mailman/listinfo/python-committers _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
