[Issue 16065] Provide digitally signed binaries for Windows
via Digitalmars-d-bugs
digitalmars-d-bugs at puremagic.com
Tue Jun 7 08:35:19 PDT 2016
https://issues.dlang.org/show_bug.cgi?id=16065
--- Comment #5 from James King <1337 at lwshost.com> ---
PGP signatures work fine for *nix systems, but this requires either compiling
PGP from source for windows, or finding some other distributor of PGP binaries
for windows before you can even run the check. To add to that, PGP signatures
must also be delivered over HTTPS, and even then, again, the only barrier to
supplying a bad binary is to gain access to the web server.
On the other hand, with signed code, an attacker has to compromise both the web
server (delivery mechanism) and go through the process of obtaining a code
signing key that looks legitimate enough from a CA that issues them. Not the
necessarily the hardest problem, but it's a two step process.
I will agree that it is disappointing that the pricing is as steep as it is
($84 to $800 depending on the vendor, per year) but I would argue that the
lower end is a manageable price if it helps prevent bad binaries from being
distributed. The ones I found on the lower end were Comodo (directly and
indirectly), GoDaddy, GlobalSign, and DigiCert.
--
More information about the Digitalmars-d-bugs
mailing list