microsoft / winget-cli

WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface).
https://learn.microsoft.com/windows/package-manager/
MIT License
23.17k stars 1.45k forks source link

Add verification with GPG signatures #683

Open nopeinomicon opened 3 years ago

nopeinomicon commented 3 years ago

Description of the new feature/enhancement

Some applications have GPG signatures, these being signed by a developer's key, in order to verify their validity. This is a mostly foolproof method of ensuring that the package has not been tampered with by outside sources, as unless the developer's private key has leaked, the signature cannot be replicated for a modified binary.

Adding this feature may have some additional overhead, but for the apps that use it this is a great extra security measure to ensure the end user is receiving the correct binary.

Proposed technical implementation details (optional)

I have no real idea how to implement this, I could give some ideas to parallel my experience to openSUSE's zypper, which I maintain some packages for, and which uses this system for some apps, but beyond that everything is in the hands of the core team.

garantir-admin commented 3 years ago

With no disrespect to @nopeinomicon, please don't use GPG signatures, or at least support X.509 as well as GPG signatures. GPG signatures typically require explicitly trusting each publisher's GPG public key, which gets tedious and error prone and leads to people trusting everything they need just to get the install working. Using certificates issued by CAs isn't perfect, but is a more scalable solution. Additionally, the signing process should support using the Windows Certificate Store just as other Windows tools do, and the Windows Certificate Store doesn't (natively) support GPG keys.