Digital signatures for native libraries

Hi,

In our quest to have safer software, our release department asked me if the native DLL files (for JOGL 2.4.0) were available with digital signatures?
This would allow us to better verify the origin of these files.
Is this something that is already available, or could be added to the build pipeline?

In a second question they also asked about compiling with the GS compiler switch:
https://learn.microsoft.com/en-us/cpp/build/reference/gs-buffer-security-check?view=msvc-170
But I am no C expert, and am not sure if an equivalent exists for non-Windows or non-Visual Studio environments.
It would also impact performance a bit, but there are gains in the safer software department.

Any feedback on the above would be much appreciated,

Thanks

Hi Lerzeel,

I could offer contracting services to your company to discuss these issues and perhaps helping to resolve it.

A short answer .. digital signatures with a CA are not the solution for trust.
However, I do have signed the sha of the delivered releases.

~Sven

Hello

As far as I know, they aren't. I might be wrong, Sven can confirm.

Digital signatures aren't a guarantee of security. Several years ago, a criminal stole a digital signature and used it to sign a malicious program containing a virus that used the same name than my game to confuse end users.

You can build JogAmp by yourself and sign it, you don't need us to provide libraries with signed signatures. Don't forget that code signing certificates aren't free of charge.

Maybe -fstack-protector-strong would do the job with gcc but again, Sven knows better than me. The last time I had to compile the C code of JOGL under Windows, I used gcc, Visual Studio isn't supported out of the box and it's ok for me, it's not necessary, supporting it would cause some problems.

Best regards.

(I was first lol)

.. reminds me of our feature Source Certification Contract (SCC), which is tracked as well here.

Current status is that we are able to verify the strong sha at runtime...

Thanks for the feedback! With this I have enough information to talk to our release department and evaluate our options.

In the 2.4.0 download folder, there is a sha512sum.txt.sig file for sha512sum.txt. Where do we find the public key required to verify with gpg?

key server hkps://keys.openpgp.org
or
sgothel-gpg-0x8ED60127.asc

Thank you. I could verify using the asc file you provided, but the asc file obtained from the key server did not work.

I did the following. First, with no key imported yet, from git bash shell (on windows):

gpg --verify sha512sum.txt.sig sha512sum.txt

This reports "using RSA key C8CBB09E831BD6BA1F1EEADD845EBB9EA1F57735" and, as expected "Can't check signature: No public key"

I look up C8CBB09E831BD6BA1F1EEADD845EBB9EA1F57735 at hkps://keys.openpgp.org and download 4503DD006E3D7A269E57E10E8B9B030F8ED60127.asc.

Import using "gpg --import 4503DD006E3D7A269E57E10E8B9B030F8ED60127.asc", but gpg reports "8B9B030F8ED60127: no user ID", "gpg --list-keys" does not show a new entry, and gpg verify fails.

Similary, running gpg --recv-keys as follow:
gpg --keyserver hkps://keys.openpgp.org --recv-keys C8CBB09E831BD6BA1F1EEADD845EBB9EA1F57735
also gives the "8B9B030F8ED60127: no user ID" message.

I'm not a gpg expert so perhaps I'm doing it wrong. But importing sgothel-gpg-0x8ED60127.asc and then verifying worked fine.

My fault, I didn't confirm my email address w/ https://keys.openpgp.org/
.. a new feature to avoid attacks pumping keyserver with 'funny keys'.

See my test below, working now:

dummytest@risa:~$ gpg -v --receive-key 8B9B030F8ED60127
gpg: data source: https://keys.openpgp.org:443
gpg: armor header: Comment: 4503 DD00 6E3D 7A26 9E57  E10E 8B9B 030F 8ED6 0127
gpg: armor header: Comment: Sven Gothel <sgothel@jausoft.com>
gpg: pub  dsa3072/8B9B030F8ED60127 2010-08-24  Sven Gothel <sgothel@jausoft.com>
gpg: using pgp trust model
gpg: key 8B9B030F8ED60127: public key "Sven Gothel <sgothel@jausoft.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Works on my end too, thanks!