ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43162] - Verification for Microsoft Windows incompletely described
Date Mon, 20 Aug 2007 11:07:30 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43162>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43162


krixel@wp.pl changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WONTFIX                     |




------- Additional Comments From krixel@wp.pl  2007-08-20 04:07 -------
(In reply to comment #3)
> It's true that to verify the signatures on the Ant releases you need to have
> installed some software on Windows. You can choose to install PGP or you can
> choose to install gnupg as part of cygwin or gpg4win. I'd go for the cygwin 
route.

Probably right but that wants an explanation anyway.

> The fact that Antoine's key is not registered with PGP corp does not make it
> invalid. It is registered with the public key server at http://pgp.mit.edu/ 
> It is also listed in the KEYS file in the Ant repository and on the Ant 
website.

The PGP Desktop software can be manually configured to look up keys at that 
server but it comments the result as untrusted because the server itself is 
untrusted.  I think it would be much easier to persuade Mr Levy-Lambert to 
publish his key on their registry as well.

Here is the relevant quote of the PGP Desktop documentation:

To PGP Desktop, the PGP Global Directory is a trusted keyserver, and PGP 
Desktop will automatically trust any key it finds there. During the initial 
connection to the PGP Global Directory, the PGP Global Directory Verification 
Key is downloaded, signed, and trusted by the key you publish to the 
directory. All of the keys verified by the PGP Global Directory are thus 
considered valid by your PGP Desktop.

It seems it is hardwired.

> You need to decide what level of trust *you* give these key sources.
> The Ant project is not hostile to Microsoft. I'm not sure why you would
> understand that, even if it were true. Many Ant developers, including myself,
> use Windows. 

Because of the quotes I have given.  While they are not outright hostile, they 
make me feel guilty of not using Linux.  Combine that with the description of 
verification process that implicitly assumes the reader is using Linux.

> I'm doubtful we will make available cabinet files. In fact I looked up signed
> cabinet file on Wikipedia and there is a lot less information than there is
> about gpg.

I can understand that; software publishing certificates for signing cabinet 
files cannot be self-made, they have to be issued by a valid certifiaction 
authority like VeriSign <http://www.verisign.com/products-services/security-
services/code-signing/digital-ids-code-signing/index.html>.  They charge a 
yearly fee for that.  A notable exception is Microsoft itself: they stand as 
the certificate authority for their own products; however, their signatures 
are countersigned by VeriSign.

Other then that, the signing process is described at MSDN 
<http://msdn2.microsoft.com/en-us/library/aa387764.aspx>.  Replicating that 
information on Wikipedia would hardly have any sense because the content is 
not encyclopedic and because it is proprietary.  Microsoft will support code 
signing until it goes down; after that the problem will go away by itself.

I have created a signed cabinet file (with a bogus signature, of course) but 
it is too large to upload.  Incidentally, it is much smaller than your 
original ZIP.


> I'm not 100% sure what you are referring to about the mirrors archive having 
a
> different name. The download pages all point to the master key file and not 
the
> mirrored copy because Apache only controls the masters. If a mirror is
> compromised, it would be possible that the mirrored KEYS file and signatures 
are
> also compromised. Verifying a mirrored archive against the mirrored KEYS and
> signatures is of no value whatsoever.

The files at the master repository have different names than the files at the 
mirror in Poland.  When I open the digital signature, it wants to verify an 
archive with the same name, but the mirrored archive has a different name than 
the master archive, which only adds to overall confusion.

> I agree that we could improve the doco for windows users and we do happily
> accept patches to improve documentation. On your other points, however, I'm
> afraid we probably won't meet your expectations.

I can write such a patch but I am not sure what the patch should contain.  The 
present situation is highly unsatisfactory.  Please note that the affected 
component in the bug declaration is documentation; therefore your resolution 
not to proceed with my other suggestions does not mean that you will not fix 
the bug as reported.

I consider your decisions:
- to let the mirrors to be different from the master: very harmful (in 
particular, to the master server);
- not to register the signature key with the PGP key store: negligent for no 
reason (all it takes is to follow the hyperlink to confirm the e-mail address).

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message