Loading ...
Sorry, an error occurred while loading the content.

Digital Signatures for the official Vim binaries on Windows

Expand Messages
  • Philip Taron
    Hey all, I noticed for some time now that the official Vim binaries distributed on vim.org for Windows users aren t digitally signed. Is this due to lack of
    Message 1 of 14 , Jan 2, 2012
    • 0 Attachment
      Hey all,

      I noticed for some time now that the official Vim binaries distributed
      on vim.org for Windows users aren't digitally signed.

      Is this due to lack of funds, lack of desire, technical limitations,
      or personal choice?

      If it is lack of funds, I'd like to donate so this could happen.

      Philip

      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php
    • Taylor Hedberg
      I can t answer your question, though I suspect it s just because not that many people feel that it s important, and a large portion of advanced users (at
      Message 2 of 14 , Jan 2, 2012
      • 0 Attachment
        I can't answer your question, though I suspect it's just because not
        that many people feel that it's important, and a large portion of
        "advanced" users (at least those not on Windows) either build Vim from
        source or obtain a binary version via their operating system's package
        manager, which usually means it's signed by the OS maintainers.

        But I'm curious, why would it cost money to do this? GnuPG is free, so
        whatever the reason, I doubt that it's a monetary issue.
      • Tony Mechelynck
        ... IIUC, Bram s binaries are (outdated but) signed: see either of the MD5 and MD5SUMS files in the ftp://ftp.vim.org/pub/vim/pc/ directory. If youwant an
        Message 3 of 14 , Jan 2, 2012
        • 0 Attachment
          On 03/01/12 00:11, Philip Taron wrote:
          > Hey all,
          >
          > I noticed for some time now that the official Vim binaries distributed
          > on vim.org for Windows users aren't digitally signed.
          >
          > Is this due to lack of funds, lack of desire, technical limitations,
          > or personal choice?
          >
          > If it is lack of funds, I'd like to donate so this could happen.
          >
          > Philip
          >

          IIUC, Bram's binaries are (outdated but) signed: see either of the MD5
          and MD5SUMS files in the ftp://ftp.vim.org/pub/vim/pc/ directory.

          If youwant an up-to-date Vim for Windows, I recommend Steve Hall's "Vim
          without Cream", http://sourceforge.net/projects/cream/files/Vim/ — that
          one doesn't seem to be signed but is it Steve's or SourceForge's policy?


          Best regards,
          Tony.
          --
          God is a comic playing to an audience that's afraid to laugh.

          --
          You received this message from the "vim_dev" maillist.
          Do not top-post! Type your reply below the text you are replying to.
          For more information, visit http://www.vim.org/maillist.php
        • Philip Taron
          I m talking about Authenticode signing, where the binary contains signing and repudiation information. There are a couple problems with signing outside the
          Message 4 of 14 , Jan 2, 2012
          • 0 Attachment
            I'm talking about Authenticode signing, where the binary contains signing and repudiation information. There are a couple problems with signing outside the binary:

            1. The file itself doesn't contain any provenance information
            2. There's no way to verify that the catalog file containing the MD5s is itself signed (or originated from a trusted source)

            This leaves alone the problem of using MD5, which is no longer useful for digital signature verification. Wikipedia's got a good writeup on why... http://en.wikipedia.org/wiki/MD5#Security


            Here's examples of the differences between signed and unsigned binaries: http://imgur.com/a/7xJK0 (I used a recently downloaded version of Firefox as an example.)

            Cream distro -- well, that one suffers from the same problem. I'd prefer to use the vim.org/Bram build of Vim if I can, since I can be sure it is fully up to date and doesn't have janky personal customizations and patches. 

            Why does it take funds? Because not everyone can be a certificate authority. There is a chain of trust that originates in the set of root certificates installed on everyone's machines, and self-signed certs must be manually added on every machine that wants to trust that author is who he or she claims they are.

            Philip 

            On Mon, Jan 2, 2012 at 5:48 PM, Tony Mechelynck <antoine.mechelynck@...> wrote:
            On 03/01/12 00:11, Philip Taron wrote:
            Hey all,

            I noticed for some time now that the official Vim binaries distributed
            on vim.org for Windows users aren't digitally signed.

            Is this due to lack of funds, lack of desire, technical limitations,
            or personal choice?

            If it is lack of funds, I'd like to donate so this could happen.

            Philip


            IIUC, Bram's binaries are (outdated but) signed: see either of the MD5 and MD5SUMS files in the ftp://ftp.vim.org/pub/vim/pc/ directory.

            If youwant an up-to-date Vim for Windows, I recommend Steve Hall's "Vim without Cream", http://sourceforge.net/projects/cream/files/Vim/ — that one doesn't seem to be signed but is it Steve's or SourceForge's policy?


            Best regards,
            Tony.
            --
            God is a comic playing to an audience that's afraid to laugh.

            --
            You received this message from the "vim_dev" maillist.
            Do not top-post! Type your reply below the text you are replying to.
            For more information, visit http://www.vim.org/maillist.php
          • Steve Hall
            ... No policy, but I d be curious to know what the OP believes to be practically accomplished with signed files. Perhaps we re just talking about the official
            Message 5 of 14 , Jan 2, 2012
            • 0 Attachment
              On Mon, Jan 2, 2012 at 8:48 PM, Tony Mechelynck wrote:
              > On 03/01/12 00:11, Philip Taron wrote:
              > >
              > > I noticed for some time now that the official Vim binaries
              > > distributed on vim.org for Windows users aren't digitally signed.
              > >
              > > Is this due to lack of funds, lack of desire, technical
              > > limitations, or personal choice?
              >
              > IIUC, Bram's binaries are (outdated but) signed: see either of the
              > MD5 and MD5SUMS files in the ftp://ftp.vim.org/pub/vim/pc/
              > directory.
              >
              > If you want an up-to-date Vim for Windows, I recommend Steve Hall's
              > "Vim without Cream",
              > http://sourceforge.net/projects/cream/files/Vim/ — that one doesn't
              > seem to be signed but is it Steve's or SourceForge's policy?

              No policy, but I'd be curious to know what the OP believes to be
              practically accomplished with signed files. Perhaps we're just talking
              about the official binaries? Or just checksums?


              --
              Steve Hall [ digitect dancingpaper com ]

              --
              You received this message from the "vim_dev" maillist.
              Do not top-post! Type your reply below the text you are replying to.
              For more information, visit http://www.vim.org/maillist.php
            • Ben Fritz
              ... Maybe so you can install on Windows without the are you sure you want to run this file from an unverifiable source? . If it were signed I think it would
              Message 6 of 14 , Jan 2, 2012
              • 0 Attachment
                On Jan 2, 9:41 pm, Steve Hall <digit...@...> wrote:
                >
                > No policy, but I'd be curious to know what the OP believes to be
                > practically accomplished with signed files. Perhaps we're just talking
                > about the official binaries? Or just checksums?
                >

                Maybe so you can install on Windows without the "are you sure you want
                to run this file from an unverifiable source?". If it were signed I
                think it would be a less scary message.

                Personally I don't really care :-)

                --
                You received this message from the "vim_dev" maillist.
                Do not top-post! Type your reply below the text you are replying to.
                For more information, visit http://www.vim.org/maillist.php
              • Steve Hall
                On Mon, Jan 2, 2012 at 10:28 PM, Philip Taron ... [...] ... This is a Microsoft scare tactic, there s no reason not to trust software
                Message 7 of 14 , Jan 2, 2012
                • 0 Attachment
                  On Mon, Jan 2, 2012 at 10:28 PM, Philip Taron <philip.taron@...>
                  wrote:
                  > I'm talking about Authenticode signing, where the binary contains
                  > signing and repudiation information.
                  [...]
                  > My main reason for desiring this is summed up here:
                  > http://www.hanselman.com/blog/UsingCodeSigningCertificatesToSignDownloadedMSIsAndBuildReputationWithIE9SmartScreen.aspx
                  >
                  > Here's examples of the differences between signed and unsigned
                  > binaries: http://imgur.com/a/7xJK0 (I used a recently downloaded
                  > version of Firefox as an example.)

                  This is a Microsoft scare tactic, there's no reason not to trust
                  software if you are confident of where you got it. You can eat food
                  from state certified restaurants and get sick, or eat at a neighbor's
                  house and feel great. (I'd even argue the latter is safer.)

                  So I'd love to see the point made using Free Software and not
                  requiring license fees or key hosting by whatever corporation. (Unless
                  the case is being made that only state sponsored food should be
                  allowed.)

                  > Cream distro -- well, that one suffers from the same problem. I'd
                  > prefer to use the vim.org/Bram build of Vim if I can, since I can be
                  > sure it is fully up to date and doesn't have janky personal
                  > customizations and patches.

                  You obviously don't get the point of Free Software. :)

                  > Why does it take funds? Because not everyone can be a certificate
                  > authority. There is a chain of trust that originates in the set of
                  > root certificates installed on everyone's machines, and self-signed
                  > certs must be manually added on every machine that wants to trust
                  > that author is who he or she claims they are.

                  It only takes funds because the crooks that are trying to scare
                  everyone into a fully sponsored "security solutions" need money to
                  survive.

                  --
                  Steve Hall [ digitect dancingpaper com ]

                  --
                  You received this message from the "vim_dev" maillist.
                  Do not top-post! Type your reply below the text you are replying to.
                  For more information, visit http://www.vim.org/maillist.php
                • Philip Taron
                  ... I m only interested in the official binaries. The problem of determining that the sources retrieved from the official master repository are the same
                  Message 8 of 14 , Jan 2, 2012
                  • 0 Attachment
                    No policy, but I'd be curious to know what the OP believes to be
                    practically accomplished with signed files. Perhaps we're just talking
                    about the official binaries? Or just checksums?

                    I'm only interested in the official binaries. The problem of determining that the sources retrieved from the official master repository are the same sources is something else entirely.

                    1. Integrity. I know the binary has not been modified in transit in some form. Catalog signing, like the MD5 file talked about here, also accomplishes this, provided that there is something that signs it, and so on.

                    2. Identity. I know that the person claiming to be Bram Moolenaar (or Steve Hall, or whomever) is certified to be that person by some certification authority I already trust.

                    3. Authorship. Combining the previous benefits, I know the file is intact, that Bram really is a person/org, and that he really produced this file. 

                    4. Provenance. I know that the binary I got from vim.org actually originated with someone who both controlled vim.org and also the private cert for codesigning the binaries there. (This is only if vim.org supports https, which it currently does not.)

                    5. UX benefits. I'm restricting this to Windows, since I have no idea of the state of PKI/code signing/etc on Linux or MacOS. On Windows, executables that are digitally signed are presented differently than binaries which are unsigned.

                    6. Revokability. If the prior constraints do not hold true (due to a systems failure, vulnerability, or loss of private key, for instance) the certificate can be revoked immediately.

                    7. Individual revokability. If a particular binary suffers from a very bad vulnerability, it can explicitly be pulled.

                    There's also a couple white-listing benefits, which are completely ancillary.

                    8. Anti-malware benefits. Most AV engines (and in particular the one used by MS, for instance in Security Essentials) are able to author whitelist signatures for known good certs.  

                    9. Reputation services (like Smart Screen for downloads in IE9). Over time, these can provide actual trust benefits (like http://www.hanselman.com/blog/UsingCodeSigningCertificatesToSignDownloadedMSIsAndBuildReputationWithIE9SmartScreen.aspx illustrates.)

                    In reality, my personal motivation is to get rid of that damn unsigned dialog, but from an objective standpoint my motivations don't matter. :)

                    Philip

                    --
                    You received this message from the "vim_dev" maillist.
                    Do not top-post! Type your reply below the text you are replying to.
                    For more information, visit http://www.vim.org/maillist.php
                  • tux.
                    No one said vim.org will never be compromised. -- You received this message from the vim_dev maillist. Do not top-post! Type your reply below the text you
                    Message 9 of 14 , Jan 2, 2012
                    • 0 Attachment
                      No one said vim.org will never be compromised.

                      --
                      You received this message from the "vim_dev" maillist.
                      Do not top-post! Type your reply below the text you are replying to.
                      For more information, visit http://www.vim.org/maillist.php
                    • Philip Taron
                      ... Dare I note that both sourceforge.net and vim.org are not offered over https? Without that, there s no way to know whether I m eating at a mockup of my
                      Message 10 of 14 , Jan 2, 2012
                      • 0 Attachment
                         
                        This is a Microsoft scare tactic, there's no reason not to trust
                        software if you are confident of where you got it. You can eat food
                        from state certified restaurants and get sick, or eat at a neighbor's
                        house and feel great. (I'd even argue the latter is safer.)

                        Dare I note that both sourceforge.net and vim.org are not offered over https? Without that, there's no way to know whether I'm eating at a mockup of my neighbor's house or at the house itself.
                         
                        So I'd love to see the point made using Free Software and not
                        requiring license fees or key hosting by whatever corporation. (Unless
                        the case is being made that only state sponsored food should be
                        allowed.)

                        > Cream distro -- well, that one suffers from the same problem. I'd
                        > prefer to use the vim.org/Bram build of Vim if I can, since I can be
                        > sure it is fully up to date and doesn't have janky personal
                        > customizations and patches.

                        You obviously don't get the point of Free Software. :)

                        Hey, enough with the hate, suffixed with smiley faces as it is. Anything prefaced with the phase "I prefer" surely is meant only in a personal manner. More power to you for creating and maintaining Cream. It's not _my_ preference.
                         
                        > Why does it take funds? Because not everyone can be a certificate
                        > authority. There is a chain of trust that originates in the set of
                        > root certificates installed on everyone's machines, and self-signed
                        > certs must be manually added on every machine that wants to trust
                        > that author is who he or she claims they are.

                        It only takes funds because the crooks that are trying to scare
                        everyone into a fully sponsored "security solutions" need money to
                        survive.

                        Root of trust, distribution of keys, revocation, and the other associated issues with a global PKI are real problems. In a free software context, see the hack on kernel.org and GNU savannah...


                        Digitally signing the binaries wouldn't have eliminated either of these problems, but would have made cleaning up after them quite a bit easier.

                        Philip 

                        --
                        You received this message from the "vim_dev" maillist.
                        Do not top-post! Type your reply below the text you are replying to.
                        For more information, visit http://www.vim.org/maillist.php
                      • Philip Taron
                        ... On consideration, I apologize for the janky characterization. It was uncalled for. Philip -- You received this message from the vim_dev maillist. Do
                        Message 11 of 14 , Jan 2, 2012
                        • 0 Attachment
                          > Cream distro -- well, that one suffers from the same problem. I'd
                          > prefer to use the vim.org/Bram build of Vim if I can, since I can be
                          > sure it is fully up to date and doesn't have janky personal
                          > customizations and patches.

                          You obviously don't get the point of Free Software. :)

                          Hey, enough with the hate, suffixed with smiley faces as it is. Anything prefaced with the phase "I prefer" surely is meant only in a personal manner. More power to you for creating and maintaining Cream. It's not _my_ preference.

                          On consideration, I apologize for the "janky" characterization. It was uncalled for.

                          Philip

                          --
                          You received this message from the "vim_dev" maillist.
                          Do not top-post! Type your reply below the text you are replying to.
                          For more information, visit http://www.vim.org/maillist.php
                        • Ernie Rael
                          ... When I log into sf.net I start getting an https URL. -ernie -- You received this message from the vim_dev maillist. Do not top-post! Type your reply
                          Message 12 of 14 , Jan 2, 2012
                          • 0 Attachment


                            On 1/2/2012 8:43 PM, Philip Taron wrote:


                            Dare I note that both sourceforge.net and vim.org are not offered over https? Without that, there's no way to know whether I'm eating at a mockup of my neighbor's house or at the house itself.
                             

                            When I log into sf.net I start getting an https URL.

                            -ernie

                            --
                            You received this message from the "vim_dev" maillist.
                            Do not top-post! Type your reply below the text you are replying to.
                            For more information, visit http://www.vim.org/maillist.php
                          • Bram Moolenaar
                            ... It s a lot of hassle to get this certification, costs quite a bit of money (several thousand dollars), and only gives a little bit of protection. The
                            Message 13 of 14 , Jan 4, 2012
                            • 0 Attachment
                              Philip Taron wrote:

                              > I noticed for some time now that the official Vim binaries distributed
                              > on vim.org for Windows users aren't digitally signed.
                              >
                              > Is this due to lack of funds, lack of desire, technical limitations,
                              > or personal choice?
                              >
                              > If it is lack of funds, I'd like to donate so this could happen.

                              It's a lot of hassle to get this certification, costs quite a bit of
                              money (several thousand dollars), and only gives a little bit of
                              protection. The obvious way around it is to just replace the signed
                              binary with a not signed binary, hardly anyone would notice.

                              In practice messing with the files has never happened and if it did it
                              would most likely be detected and fixed quickly.

                              Trojan horses are a big problem, but the signature is a very weak
                              protection against them.

                              --
                              If cars evolved at the same rate as computers have, they'd cost five euro,
                              run for a year on a couple of liters of petrol, and explode once a day.

                              /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
                              /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
                              \\\ an exciting new programming language -- http://www.Zimbu.org ///
                              \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

                              --
                              You received this message from the "vim_dev" maillist.
                              Do not top-post! Type your reply below the text you are replying to.
                              For more information, visit http://www.vim.org/maillist.php
                            • Philip Taron
                              ... I ll drop the topic. Thanks for providing the current consensus opinion. Philip -- You received this message from the vim_dev maillist. Do not top-post!
                              Message 14 of 14 , Jan 4, 2012
                              • 0 Attachment
                                It's a lot of hassle to get this certification, costs quite a bit of
                                money (several thousand dollars), and only gives a little bit of
                                protection.  The obvious way around it is to just replace the signed
                                binary with a not signed binary, hardly anyone would notice.

                                In practice messing with the files has never happened and if it did it
                                would most likely be detected and fixed quickly.

                                Trojan horses are a big problem, but the signature is a very weak
                                protection against them.

                                I'll drop the topic. Thanks for providing the current consensus opinion.

                                Philip

                                --
                                You received this message from the "vim_dev" maillist.
                                Do not top-post! Type your reply below the text you are replying to.
                                For more information, visit http://www.vim.org/maillist.php
                              Your message has been successfully submitted and would be delivered to recipients shortly.