Digital signatures for native libraries

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Digital signatures for native libraries

Lerzeel
Hi,

In our quest to have safer software, our release department asked me if the native DLL files (for JOGL 2.4.0) were available with digital signatures?
This would allow us to better verify the origin of these files.
Is this something that is already available, or could be added to the build pipeline?

In a second question they also asked about compiling with the GS compiler switch:
https://learn.microsoft.com/en-us/cpp/build/reference/gs-buffer-security-check?view=msvc-170
But I am no C expert, and am not sure if an equivalent exists for non-Windows or non-Visual Studio environments.
It would also impact performance a bit, but there are gains in the safer software department.

Any feedback on the above would be much appreciated,

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Digital signatures for native libraries

Sven Gothel
Administrator
Hi Lerzeel,

I could offer contracting services to your company to discuss these issues and perhaps helping to resolve it.

A short answer .. digital signatures with a CA are not the solution for trust.
However, I do have signed the sha of the delivered releases.

~Sven
Reply | Threaded
Open this post in threaded view
|

Re: Digital signatures for native libraries

gouessej
Administrator
In reply to this post by Lerzeel
Hello

As far as I know, they aren't. I might be wrong, Sven can confirm.

Digital signatures aren't a guarantee of security. Several years ago, a criminal stole a digital signature and used it to sign a malicious program containing a virus that used the same name than my game to confuse end users.

You can build JogAmp by yourself and sign it, you don't need us to provide libraries with signed signatures. Don't forget that code signing certificates aren't free of charge.

Maybe -fstack-protector-strong would do the job with gcc but again, Sven knows better than me. The last time I had to compile the C code of JOGL under Windows, I used gcc, Visual Studio isn't supported out of the box and it's ok for me, it's not necessary, supporting it would cause some problems.

Best regards.
Julien Gouesse | Personal blog | Website
Reply | Threaded
Open this post in threaded view
|

Re: Digital signatures for native libraries

Sven Gothel
Administrator
(I was first lol)

.. reminds me of our feature Source Certification Contract (SCC), which is tracked as well here.

Current status is that we are able to verify the strong sha at runtime...
Reply | Threaded
Open this post in threaded view
|

Re: Digital signatures for native libraries

Lerzeel
Thanks for the feedback! With this I have enough information to talk to our release department and evaluate our options.
Reply | Threaded
Open this post in threaded view
|

Re: Digital signatures for native libraries

Michael Weber
In the 2.4.0 download folder, there is a sha512sum.txt.sig file for sha512sum.txt. Where do we find the public key required to verify with gpg?
Reply | Threaded
Open this post in threaded view
|

Re: Digital signatures for native libraries

Sven Gothel
Administrator
key server hkps://keys.openpgp.org
or
sgothel-gpg-0x8ED60127.asc
Reply | Threaded
Open this post in threaded view
|

Re: Digital signatures for native libraries

Michael Weber
This post was updated on .
Thank you. I could verify using the asc file you provided, but the asc file obtained from the key server did not work.

I did the following. First, with no key imported yet, from git bash shell (on windows):

gpg --verify sha512sum.txt.sig sha512sum.txt

This reports "using RSA key C8CBB09E831BD6BA1F1EEADD845EBB9EA1F57735" and, as expected "Can't check signature: No public key"

I look up C8CBB09E831BD6BA1F1EEADD845EBB9EA1F57735 at hkps://keys.openpgp.org and download 4503DD006E3D7A269E57E10E8B9B030F8ED60127.asc.

Import using "gpg --import 4503DD006E3D7A269E57E10E8B9B030F8ED60127.asc", but gpg reports "8B9B030F8ED60127: no user ID", "gpg --list-keys" does not show a new entry, and gpg verify fails.

Similary, running gpg --recv-keys as follow:
gpg --keyserver hkps://keys.openpgp.org --recv-keys C8CBB09E831BD6BA1F1EEADD845EBB9EA1F57735
also gives the "8B9B030F8ED60127: no user ID" message.

I'm not a gpg expert so perhaps I'm doing it wrong. But importing sgothel-gpg-0x8ED60127.asc and then verifying worked fine.
Reply | Threaded
Open this post in threaded view
|

Re: Digital signatures for native libraries

Sven Gothel
Administrator
My fault, I didn't confirm my email address w/ https://keys.openpgp.org/
.. a new feature to avoid attacks pumping keyserver with 'funny keys'.

See my test below, working now:

dummytest@risa:~$ gpg -v --receive-key 8B9B030F8ED60127
gpg: data source: https://keys.openpgp.org:443
gpg: armor header: Comment: 4503 DD00 6E3D 7A26 9E57  E10E 8B9B 030F 8ED6 0127
gpg: armor header: Comment: Sven Gothel <sgothel@jausoft.com>
gpg: pub  dsa3072/8B9B030F8ED60127 2010-08-24  Sven Gothel <sgothel@jausoft.com>
gpg: using pgp trust model
gpg: key 8B9B030F8ED60127: public key "Sven Gothel <sgothel@jausoft.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
Reply | Threaded
Open this post in threaded view
|

Re: Digital signatures for native libraries

Michael Weber
Works on my end too, thanks!