On 27.08.2012 23:11, Andreas Kuckartz wrote:
Rob Weir:
You probably don't see this on the server yet, but end-user operating
systems, both desktop and devices, both at OS level as well as in
browsers and with antivirus software, are shifting over to excluding
non-signed executable by default. This is equally true of software
distributed on CD's, via downloads, or listed in OS-vendor "stores".
That is the direction that the industry is going. Any desktop
application that ignores this trend will become unusable by most
users. Instead of detached digital signatures that Apache releases
already carry, the OS vendors expect integrated signatures via code
signing.
Sorry for extending this thread, but I am curious:
Which "OS vendors" and "end-user operating systems" are you talking about?
For Windows 8 please see e.g.
http://msdn.microsoft.com/en-us/library/windows/desktop/hh749939.aspx
"6.1 All executable files (.exe, .dll, .ocx, .sys, .cpl, .drv, .scr)
must be signed with an Authenticode certificate"
For Mac OSX 10.8 please see e.g.
https://developer.apple.com/resources/developer-id/
"Gatekeeper is a new feature in OS X Mountain Lion that helps protect
users from downloading and installing malicious software. Signing your
applications, plug-ins, and installer packages with a Developer ID
certificate lets Gatekeeper verify that they are not known malware and
have not been tampered with."
and
http://macperformanceguide.com/MountainLion-application-signing.html
"By default, Mac OS X Mountain Lion disables the ability to run
applications which are not signed, the idea being to prevent hackers
from persuading you to run a nefarious application.
This is an excellent security precaution, but also a headache until all
apps are signed"
The end-user operating system Debian does not require integrated signatures:
http://wiki.debian.org/SecureApt
Debian is a great end-user operating system and I'm using it for my main
computing needs. Other contenders in the market for end-user operating
systems like Microsoft and Apple are still relevant though so the
requirements they impose on applications cannot be easily ignored.
Herbert
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org
