0

A majority of free software (in particular, Linux ports for Windows) are not signed.

As I understand it, it is quite easy to create a self-signed CA, and sign the software. Distribution would be handled by major free software players, like KDE, Gnome, or whoever is behind the software.

Why isn't this standard practice?

Errata:

This question specifically concerns the practice of porting software from Linux to Windows operating system, and the resulting (perceived) reduction in binary distribution security trust. More specifically, it addresses the practice of distributing binary versions of ported software and the resulting lack of "non-repudiation" as it pertains to digital security.

To rephrase the question, if binary distributions are offered for one platform, and the package source trust infrastructure is implemented, why is such infrastructure not applied to binary "ports".

Ate Somebits
  • 107
  • 6
  • 3
    What benefit do you think it would give? –  Jun 13 '19 at 15:16
  • It is somewhat more intuitive than checking GPG signatures, and there are cases where signatures aren't available. Since Windows ports are usually created by individuals, it would provide users with insurance that a Windows port (that is hard to compile) is checked for security holes in the same way the source code is. – Ate Somebits Jun 13 '19 at 15:19
  • Before we proceed, are you talking about signing binaries or signing source code? Or both? –  Jun 13 '19 at 15:20
  • Binaries. More specifically, binary distributions that need administrative level installation. – Ate Somebits Jun 13 '19 at 15:21
  • More to the point, it would provide a kind of "endorsment" of the volunteers that helped with porting/compiling. – Ate Somebits Jun 13 '19 at 15:23
  • For sake of simplicity, I would confine my question to situations where the binaries require admin privileges to install. – Ate Somebits Jun 13 '19 at 15:25
  • 1
    Related: https://security.stackexchange.com/questions/186185/why-dont-websites-provide-a-checksum-of-their-downloadable-files/ Note that a signature and a hash serve similar purposes here: you calculate a value, and compare it against something you've received through a trusted route (the public key, or the published "correct" hash). – IMSoP Jun 13 '19 at 15:30
  • @IMSoP good point, however, I'm mainly focusing on software that is ported from other platforms/environments and is painstakingly compiled by contributors not working on the code. There are some big productivity tools that fall into the category. – Ate Somebits Jun 13 '19 at 15:34
  • 3
    @AgnesK.Cathex I'm not sure why that makes a difference. At the end of the day, someone is offering you a file to download, and you are deciding whether to trust it or not. As I said on the linked question, the hard part is not creating the signature, it's creating a process behind that signature that the user can trust. – IMSoP Jun 13 '19 at 16:08
  • 1
    I've gone ahead and flagged this as duplicate of [Why don't websites provide a checksum of their downloadable files?](https://security.stackexchange.com/questions/186185/why-dont-websites-provide-a-checksum-of-their-downloadable-files) The difference between certificates and hashes is discussed there, as are the problems with distributing either in a way that provides a tangible benefit. – IMSoP Jun 13 '19 at 16:12
  • Ok, thanks. It helped. – Ate Somebits Jun 13 '19 at 16:39
  • @IMSoP P.S. The reason I'm making difference between software like CCleaner mentioned in the other answer is that software that is cross-compiled usually involves many more intermediate toolchains, non-ported dependencies, etc., compared to software that is written for the platform. – Ate Somebits Jun 13 '19 at 16:57

1 Answers1

1

Signing with a self signed certificate provides no value for the usual windows user. The signature is invalid from the point of Windows. The name of the signer is not shown in the elevation prompt. People who would be able to verify such a signature are equally able to verify e.g. a GPG signature which is more common in the open source community.

Signing with a certificate that is seen as valid in windows makes sense. The name of the developer is shown in the elevation prompt, at least. But this certificates cost money, even if there are cheap options for open source developers.

Additional to the cost, certificates (not self signed) need to contain the name of the certificate owner. Some people wouldn't want this publicity. Also, this could be seen as accepting some liability for faults in the software, which also many people providing open source without profit don't want!

Josef
  • 5,903
  • 25
  • 33