Signing installers for added trust

jackjack

Member
Given the recent issues / compromise, could you look into getting releases signed with PGP/GPG. This enable users to be able to trust the software that is on the site for download.

IIRC this had been broached before and knocked on the head as it was too time consuming for Garrett. To work around that I would suggest that Joel create a key and have Garrett sign it, then either person could sign the installers as they are released.
 

DavidHB

Active Member
This is not my area of expertise, but given that the plugins are validated with root certificates, and without the plugins Eraser does nothing, is an extra layer of validation actually required?

I assume that the executables now once again posted on the Eraser site are still the same as those that were there before the breach; I know that Garrett and Joel have been checking material before allowing it back on line. Anyone working directly with the source code will presumably be able to spot a serious malfeasance pretty quickly.

David
 

jackjack

Member
DavidHB said:
This is not my area of expertise, but given that the plugins are validated with root certificates, and without the plugins Eraser does nothing, is an extra layer of validation actually required?
There's more to the code base than the plugins..... or what's to say that something was not hidden in the installer, so while the real eraser gets installed $evil_app gets surreptitiously installed at the same time.

DavidHB said:
When we assume, we make an ass out of u and me :)

DavidHB said:
Anyone working directly with the source code will presumably be able to spot a serious malfeasance pretty quickly.
While I would hope, given that Eraser has a relatively small line count that it should be spotted, there are plenty of example of other projects suffering code injection that goes unnoticed for far longer than it should, so there's no reason why the same could not happen to this project.
 

DavidHB

Active Member
jackjack said:
There's more to the code base than the plugins..... or what's to say that something was not hidden in the installer, so while the real eraser gets installed $evil_app gets surreptitiously installed at the same time.
That is why only the 6.0.8 installer was allowed on line for some time.

jackjack said:
DavidHB said:
When we assume, we make an ass out of u and me :)
Not so. Foolish or otherwise, everything we say is based on assumptions. So the real question is: are those assumptions reasonable? In this case, knowing the personalities and considering the time lapse before the install files were reposted, the assumption seems reasonable. Joel only needed to chck the hash against a known good copy.

jackjack said:
DavidHB said:
Anyone working directly with the source code will presumably be able to spot a serious malfeasance pretty quickly.
While I would hope, given that Eraser has a relatively small line count that it should be spotted, there are plenty of example of other projects suffering code injection that goes unnoticed for far longer than it should, so there's no reason why the same could not happen to this project.
The Eraser code is also highly modular and heavily commented; changes would tend to stand out. And of course, the question is not: could it be amended (which, of course, it can), but could it be uploaded back to the server? Again, a bit of file checking ought to have provided reassurance.

I don't say that the Eraser materials are 100% secure. Nothing in this world is. What I am questioning is the cost-benefit of adding extra layers of security.

David
 

jackjack

Member
DavidHB said:
That is why only the 6.0.8 installer was allowed on line for some time.
How were people supposed to know this 6.0.8 installer was "safe" Save for the forum (how many people who actually download eraser visit it?), I do not recall anything being mentioned about a breach on the main website (though it is possible I missed something). What about those people who installed the software between the time of the breach and the detection of it, with out a signed installer how could they have known what they were getting was safe? Hashes listed on a website are easily changed, cryptographically strong signatures are not as easy to fake


DavidHB said:
What I am questioning is the cost-benefit of adding extra layers of security.
(Free software + a couple of seconds additional time to sign + less than 1kb of storage per sig file) is worth the peace of mind for those that need to be sure the software they are getting is what they expect.
 

DavidHB

Active Member
Points taken, but we shall perhaps have to agree to differ as to their weight in the discussion. It's not my call in any case; I shall be interested to see what Joel and Garrett have to say on the issue.

David
 

jackjack

Member
DavidHB said:
Points taken, but we shall perhaps have to agree to differ as to their weight in the discussion.
Totally, it's not going to be essential for everyone so I understand your stance. As it is I no longer have a use for eraser my self as I've ditched Windows for the time being, however I do have contact with a number of people who really do need this extra level of trust, especially after the incident with the Heidi/Eraser servers.
 

Joel

Active Member
Please allow me to reply in two posts.

Firstly, the compromise did not result in any files modified. Garrett managed to ascertain that the hackers managed to only obtain read access to files on-disk*.

Secondly, Eraser's binaries are all signed by Garrett's and my code signing certificate (Authenticode -- the Windows equivalent of GPG.) I've asked Garrett is request revocation of his certificate for safety purposes; mine is stored on my own server (which was not involved in the compromise)

As the binaries are signed (component DLLs and EXEs), the MSIs in the installer, and the bootstrapper are all signed, I do not think that there is a need for a third layer of security here.

I'll reply to your individual comments in a later post.

*I seem to recall that it was only one folder of the C: drive, but I can't remember which nor recall how many files were in there. Garrett will need to confirm on this.
 

Joel

Active Member
DavidHB said:
This is not my area of expertise, but given that the plugins are validated with root certificates, and without the plugins Eraser does nothing, is an extra layer of validation actually required?
jackjack said:
There's more to the code base than the plugins..... or what's to say that something was not hidden in the installer, so while the real eraser gets installed $evil_app gets surreptitiously installed at the same time.
I think Jack's concern is valid -- code can be modified under our noses. However, as mentioned earlier Eraser's sources are on a separate server (hosted by SourceForge) and was not impacted by the compromise.

DavidHB said:
I assume that the executables now once again posted on the Eraser site are still the same as those that were there before the breach; I know that Garrett and Joel have been checking material before allowing it back on line.
Actually I discarded the copy on the server and uploaded a fresh copy from my own computer.

DavidHB said:
Anyone working directly with the source code will presumably be able to spot a serious malfeasance pretty quickly.
They will have to temper with SourceForge's server, if they modified the code using SVN the change would be logged.
 

DavidHB

Active Member
So, unless I misunderstand things, jackjack's request was, in effect, already implemented.

David
 

Joel

Active Member
Yes -- though I do know why he recommended GPG, because it's open source etc. (just like why Eraser may be preferred over any of the commercial tools) Though I'm inclined to stick to Authenticode, because verification is done by the system automatically, the user does not need to explicitly check (GPG requires you to do so on Windows)
 
Top