[Issue 16065] New: Provide digitally signed binaries for Windows
digitalmars-d-bugs at puremagic.com
Mon May 23 11:17:12 PDT 2016
Issue ID: 16065
Summary: Provide digitally signed binaries for Windows
Assignee: nobody at puremagic.com
Reporter: 1337 at lwshost.com
Would it be possible to provide digitally signed binaries for the DMD Windows
installers? Additionally, though this is likely outside the scope, perhaps
[eventually] LDC and GDC installers could be hosted here as well [and signed]?
Currently they are delivered over HTTP, and there is no way to be certain that
the files truly originated from the downloads.dlang.org server or somewhere
else. Even if HTTPS and HSTS were made available, this wouldn't protect users
in a hypothetical scenario where the web server itself was compromised or where
a Man-in-the-Middle attack had replaced the D website with another website that
had a 'valid certificate' issued by another CA.
I realize that this may be tricky to add into the build/release process, as
protecting the signing key now becomes a critical issue, but I wanted to bring
it up as I saw no previous or existing issues that covered this topic.
Thank you for your consideration.
More information about the Digitalmars-d-bugs