RFE: Signed Versions / Checksums

[goldzahn]

Hi,

for security reasons I would appreciate OPENPGP-Signatures for the files provided under https://www.owasp.org/index.php/OWASP_Dependency_Check (Download: http://dl.bintray.com/jeremy-long/owasp/).

Maybe it's easier first to provide checksums of the files on https://www.owasp.org/index.php/OWASP_Dependency_Check (would not be too easy to attack the Owasp-Server and the download server). Checksums on the download server would not really make sense from a security standpoint as it would be no problem to also put the checksum of the forged program there.

Thanks
Regards
Tim

[jeremylong]

In reality - I'm not sure signatures on the Wiki would make any sense as it is a wiki with a ton of contributors.

I'll look into providing the gpg signature in the future and posting that to bintray along side the dependency. Yes, if the site was compromised they could replace the signature with their own...

<rabbitHole>
So let me ask you this - why do you trust a file published with a signature more then one published without? It is entirely possible to publish the source code for a given/tagged version - and add/modify the code prior to compilation, publication, and distribution that is not included in the public source code repository. By posting a signature - yes, you are limiting your attackers or praying that the binary distribution platform has good security AND that the publisher has good operational security with their keys... Wouldn't you rather BYOB (Bring-Your-Own-Binaries) by meticulously reviewing the source code for a given tagged version and then compiling it yourself? Oh wait... did you review the OS and JDK source code too? Where does the rabbit whole of trust end? I love the Ken Thompson paper, "Reflections on Trusting Trust"
</rabbitHole>

[goldzahn]

Well, of course do I have to trust you and your code, otherwise I wouldn't run it and I also have to trust all the other developers of the programs I use. And yes, I also have to trust you that you handle the signing key securely, and I am aware of the fact that in general there is no absolute security.

But for me it still makes sense to provide signatures for downloads as this increases the chance to know that a program that has been provided by a trusted person, has not been tampered by others, who have access to the download server (legitimate or due to criminal acting). I think it's a matter of likelihood and personally I think that the risk of someone breaking into a download site and putting a trojaned version there is nowadays quite high. It's the best way for someone who wants his trojaned version to be installed on many sites at once.

Regards
Tim

[jeremylong]

Please don't get me wrong - I am planning on providing the signatures. Which is why I tried to put that block above in more of a separate section. This is actually one of my areas on interest - is what is published based on the actual source that is tagged as the given version.

Regardless - I'll try to post the signature files to bintray during the next release.

[goldzahn]

Hi Jeremy,

thanks a lot for your work.
Regards
Tim

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.