Cryptographically signed releases

Alex Efros powerman at powerman.name
Fri Jan 3 21:43:43 CET 2014


Hi!

On Fri, Jan 03, 2014 at 08:51:44PM +0100, Marc Lehmann wrote:
> On Fri, Jan 03, 2014 at 04:35:46PM +0100, Mariska Koch <omgoch at gmail.com> wrote:
> > Can you distribute your source code (the tar.gz files) via for example https
> What would the point of https be?

To make sure sources won't be compromised while downloading using MITM attack.

> > and provide cryptographic signatures for the releases such that users
> > can know that they got the software from you as and not from Mallory?
> And that somehow makes it trustworthy? And how would users know that from
> a signature anyway? Who would be the trust broker for the signature?

Users will know this signature is from official website, protected by https.

> I am not convinced the added value is actually worth the effort.

This won't protect against government agencies who able to get fake https
certificate for any website signed by one of hundreds CA trusted by
major browsers, but for all other cases it should provide assurance to
user what she really downloaded unmodified file from official website.

If not for real users, this may be useful for distributive developers, to
minimize chance to occasionally include compromised version of some software.

=====

Some users (including me) prefer to use https whenever possible for any
website (and use browser plugins to enforce this), so it's always good
idea to make _any_ website available using https.

BTW, startssl.com provides https certificates for free.

As for signatures - sometimes we've to download sources from somewhere
else, not from official website. Because official website is down or
because it doesn't provide too old version which we need or because we
already have this file and don't wanna re-download it. In these cases it's
always good to have ability to check is this file was modified or not -
which is usually done using MD5/SHA1 signatures from official website
(or from webarchived/googlecached version of that site if it's down now).

So, https and signatures isn't useless - they really add some value.
But, yeah, maybe this value isn't actually worth the effort for you.
Personally I get all your software from my distributive packages, don't
visit your site on regular basis, and your files aren't too large to try
to avoid re-downloading them if I suspect I may have modified file.
So, for me, https+signatures is “nice to have” feature, no more.

-- 
			WBR, Alex.




More information about the rxvt-unicode mailing list