PGP signature for winetricks?

[GoogleCodeExporter]

winetricks is great, it has been very handy for me recently.

But... please consider publishing a PGP signature for it.

With the script available only for (non-SSL) http download, and packaged by
few distributions (their loss), it's hard to verify a copy or new version
any way other than reading line-by-line.  While I might trust you (Dan
Kegel) enough to run what you say is worth running, I don't want to have to
trust my ISP, your ISP, the DNS infrastructure, etc.  A PGP signature would
make it possible to be sure the bits I downloaded are the ones you published.

Original issue reported on code.google.com by hank.lei...@gmail.com on 10 Sep 2008 at 5:38

[GoogleCodeExporter]

Trust is a tricky thing.  Man-in-the-middle attacks or DNS attacks could
also substitute a bogus PGP signature from a "Daniel Q. Kegel" instead of
me.  There are many similar problems with the wine wiki, I think.

I think the best solution is for winetricks to be included in linux 
distributions,
and/or for me to provide it via https download.

Original comment by daniel.r...@gmail.com on 17 Dec 2008 at 3:04

[GoogleCodeExporter]

[Whoops, I forget to check my gmail as I don't use it often.]

Yup.  http://cm.bell-labs.com/who/ken/trust.html still makes me cringe ;)

What you say about MiTM / DNS spoofing is true also of https downloads (barring 
a
pay-to-play server certificate bought from the CA cartel).  If you were to 
generate a
PGP key, get it disseminated in multiple ways (put your fingerprint in your 
email
.sig, have the key signed by others, etc) then it would build some verifiable
credibility.  Of course, that still isn't perfect.  Someone putting out a 
trojaned
release would have to:

- release it unsigned (fool those people not checking for signatures, but 
nobody who is)

- release it with a new fake key (doesn't fool those who already had your key, 
and
reject some random new one)

- release it with a new fake key and a "Oops I lost my old key, here is the new 
one"
message (doesn't fool those who are skeptical about such announcements, and 
wait for
/ seek confirmation from more primary sources, watch for new posts by you, etc)

- release it along with a "spoof campaign", a bunch of public posts forged to
impersonate you, taking over your domain, posting to lots of mailing lists as 
you,
creating dozens of other fake identities and having them sign the new key, etc. 
(fools most people, but doesn't fool *you* or people who know you, so you and 
they
raise hell)

- release it signed with your real key because they have stolen it from you.  
Fools
everybody.  But verifying that you haven't been compromised isn't what this is 
about,
it's only about verifying that what left your machine is what we have in our 
hands
(essentially).  If they own your development box they can ship (or trojan and 
wait
for you to ship) malicious code signed by you, we understand that.

...Lastly, distributions should have this same concern getting software from 
you (and
from thousands of other opensource contributors).  Ideally they should review
anything they're pulling in, and read all diffs between versions, but surely 
they
can't, there's just too much of it.  The responsibility needs to be pushed down 
to
the producers as much as possible, with as painless / scalable a mechanism as
possible.  PGP signing isn't perfect but it's AFAIK the best there is so far.  
Of
course this still doesn't do anything about malicious producers, but that's 
what the
moat full of alligators is for.

Thanks,

Hank

Original comment by hank.lei...@gmail.com on 16 Jun 2009 at 2:22

[GoogleCodeExporter]

I will try to get with the program sometime soon.  Just need to find
a debian key signing party...

Original comment by daniel.r...@gmail.com on 6 Jul 2009 at 3:42

[GoogleCodeExporter]

Original comment by daniel.r...@gmail.com on 6 Jul 2009 at 3:44

• Changed state: Accepted

[GoogleCodeExporter]

I'll sign your key at wineconf (or if we meet up before then), I'm well within 
the web of trust.

Original comment by YokoZar on 28 Jul 2010 at 8:36