|
|
|
|
|
|
by throwaway4891a
3468 days ago
|
|
|
Apple's codesign ensures end-to-end chain-of-custody integrity with nonrepudiation, tied to a specific, named signer and likely also a credit-card. GPG signing and releasing fingerprints of all released artifacts on an https://-served release notice would accomplish nearly the same thing, but requires more steps and causes a confusing `“HandBrake” can’t be opened because it is from an unidentified developer.` dialog. It is a best-practice to both GPG sign all release artifacts and use vendor-specific code-signing / app stores, otherwise conversion will suffer with each additional hoop multiplied by the N of the entire user-base resulting in much more time-wasting. End-to-end integrity also prevents entire classes of attacks such as hacked CDNs, hacked networks and so on. |
|
|
The "end-to-end chain-of-custody" is actually the problem, because it does two bad things.
First it encourages people to give it more faith than is due. Having an ironclad guarantee that something is approved by a specific untrustworthy person can do more harm than good when people see the guarantee and not the guarantor.
Second, when the process has barriers (e.g. for poor students or foreign nationals), you get a lot of legitimate software that isn't signed, which means you're harmfully desensitizing users to security warnings. Or locking out legitimate software.
Suppose you replace that with automatic GPG signatures, where the software has to be signed by the author but the author doesn't have to be signed by anybody else. You still have something useful -- you can verify that two pieces of software are from the same author. And that updates are from the same author as the original. And the author can publish their public key to their website, allowing security-conscious users to link the software to the trusted website.
Meanwhile signing becomes only a checkbox with no gatekeeper deciding who can and can't sign, no one is excluded, so everything can be signed there are no spurious security warnings for legitimate software.