[Issue 16065] New: Provide digitally signed binaries for Windows

via Digitalmars-d-bugs digitalmars-d-bugs at puremagic.com
Mon May 23 11:17:12 PDT 2016


https://issues.dlang.org/show_bug.cgi?id=16065

          Issue ID: 16065
           Summary: Provide digitally signed binaries for Windows
           Product: D
           Version: D2
          Hardware: All
                OS: Windows
            Status: NEW
          Severity: enhancement
          Priority: P1
         Component: installer
          Assignee: nobody at puremagic.com
          Reporter: 1337 at lwshost.com

Hi all!

Would it be possible to provide digitally signed binaries for the DMD Windows
installers? Additionally, though this is likely outside the scope, perhaps
[eventually] LDC and GDC installers could be hosted here as well [and signed]?

Currently they are delivered over HTTP, and there is no way to be certain that
the files truly originated from the downloads.dlang.org server or somewhere
else. Even if HTTPS and HSTS were made available, this wouldn't protect users
in a hypothetical scenario where the web server itself was compromised or where
a Man-in-the-Middle attack had replaced the D website with another website that
had a 'valid certificate' issued by another CA.

I realize that this may be tricky to add into the build/release process, as
protecting the signing key now becomes a critical issue, but I wanted to bring
it up as I saw no previous or existing issues that covered this topic.

Thank you for your consideration.

--


More information about the Digitalmars-d-bugs mailing list