Ask HN: Unsigned Software Downloads

6 points_wldu3y ago5 comments

Why do some large, reputable open source projects not provide digital signatures for software downloads? I thought everyone did this now, but neither Golang or Postgres sign downloads they publish. Why not?

https://go.dev/dl/

https://www.postgresql.org/ftp/source/v15.0/

As counter examples, both the Linux kernel and rust sign downloads they publish:

https://kernel.org/

https://forge.rust-lang.org/infra/other-installation-methods.html#source-code

What is the reason that Google and Postgres have for not signing software downloads? MD5 and SHA256 checksums do not verify the authenticity of the downloaded software.

5 comments

NickRandom3y ago

How would that solve anything? If an adversary has the ability to push an update then it is game over regardless on if it is signed or unsigned because most don’t check existing keys prior to updating.

Once an adversary has gotten so deep in to your infrastructure that they can push an update the signing keys are mostly irrelevant since chances are they have those already.

If you are asking if each individual contributor should sign/publish their signatures for each update then yes, perhaps. But then which takes precedence - The org or the contributor? Which should/would you trust more and why? And can that prior trust be worth anything if/when either the org or the contributor goes rogue, is compromised, decides to push an obnoxious update or is rubber-hosed in to compliance?

F.W.I.W. the approach I take is to let others be the Alpha/Beta testers for any update and check out the various channels for abnormal reports. For High Severity issues I take a look at the mitigations sections and adopt those in a 'wait and see' approach.

I can imagine edge cases for both which leads to my conclusion that doing so is meritless unless you are considering nation state actors pushing an update but that then leads to the edge case of which update do you trust? And why do you trust that as the ground truth of good/not good?

beauHD3y ago

> SHA256 checksums do not verify the authenticity of the downloaded software

Well after googling for various SHA256 sums, and seeing many results that other people have got, it is at least some peace of mind. Then you know you aren't targeted specifically. There are 'known good' hashes of things like Windows ISOs for example, so you can install a clean 'untouched' Windows that isn't trojanized or laden with malware.

I am aware that simply seeing 100s of the same sum on various sites doesn't mean the executable is 'clean', it just means you weren't MITM'd specifically and targeted with malware that is baked into the executable/ISO/installer/whatever.

NickRandom3y ago

I've seen those same Windows ISO sites push false 'known good' hashes and to make matters worse Microsoft makes it almost impossible to find an easy to check source on hashes unless you are downloading the U.S. version nor do they avoid so many sub-domains that you aren't really sure if it is or isn't an MS site/redirect. Foot, meet Gun.

Am4TIfIsER0ppos3y ago

All those links are HTTPS so you are getting a signed download. Or are you alleging that someone is MITMing your connection to the originating server?

cpach3y ago

Interesting question.

Some things to consider:

Linux and Rust and Rust use GnuPG to sign their releases. IMHO, Minisign would be better, but okey.

Both projects are very large. I wonder how they handle key distribution for the key pair that signs the release. Is the private key online or offline? How do they prevent the private key from leaking?

j / k navigate · click thread line to collapse

Ask HN: Unsigned Software Downloads

6 points_wldu3y ago5 comments

https://go.dev/dl/

https://www.postgresql.org/ftp/source/v15.0/

As counter examples, both the Linux kernel and rust sign downloads they publish:

https://kernel.org/

https://forge.rust-lang.org/infra/other-installation-methods.html#source-code

What is the reason that Google and Postgres have for not signing software downloads? MD5 and SHA256 checksums do not verify the authenticity of the downloaded software.

5 comments

NickRandom3y ago

Once an adversary has gotten so deep in to your infrastructure that they can push an update the signing keys are mostly irrelevant since chances are they have those already.

beauHD3y ago

> SHA256 checksums do not verify the authenticity of the downloaded software

NickRandom3y ago

Am4TIfIsER0ppos3y ago

All those links are HTTPS so you are getting a signed download. Or are you alleging that someone is MITMing your connection to the originating server?

cpach3y ago

Interesting question.

Some things to consider:

Linux and Rust and Rust use GnuPG to sign their releases. IMHO, Minisign would be better, but okey.

j / k navigate · click thread line to collapse