No Excuses for No Signatures

By Larry Seltzer  |  Posted 2004-12-23 Print this article Print

Opinion: We all owe thanks to Peter Torr for bringing the issue of digitally signed downloads back to our attention. Microsoft loves them, but they make even more sense for open-source projects.

Every now and then a real jewel comes out of the blogosphere. You hear about it when it happens, because everyone else links to it in their own blogs. I did this recently, linking to a blog entry by Peter Torr of Microsoft. Audacity sells, and Torr had the audacity to entitle his piece "How can I trust Firefox?" The bottom line of the article is that—unlike Microsoft downloads— Firefox is not digitally signed. How can he be sure that the file he downloads is what it purports to be? Theres more to the post, some of it significant, but Id like to focus briefly on the signature part.

For many, many years, Microsoft has supported digital signatures of files and other items such as ActiveX controls. What these signatures do is to allow a user to verify, with a very high degree of certainty, that a file is from who it purports to be from.

Firefox, needless to say, is not distributed with a signature, but Torr exposed many other weaknesses in the process for a user obtaining and installing it. Responding to an advertisement in the New York Times, he went to the advertised URL, This redirected him to, which makes a kind of sense. But the actual download proceeded from I just downloaded it myself and mine came from
.fi? Im supposed to trust this?

Why the mirrors? Microsoft may be able to throw a few zillion dollars at a problem and get some servers and some bandwidth and distribute huge files, but Firefox, like many open-source projects, relies on mirror sites for distribution. Theres nothing inherently wrong with this—its efficient in a way—but it does underscore Torrs problem, which is that he has no way to confirm that the file is what it purports to be.

One of the common responses to this issue is to claim that Microsoft doesnt sign half the things it puts out either, and to be honest, thats the way I remembered things, too. So to confirm things I went to Microsofts downloads page and downloaded what the page calls the 12 most popular downloads. Every one had a signature. I then trolled the site for obscure patches and other downloads that looked lower-key; I got eight of these and all of them were signed as well. I suppose Microsoft has, over time, gotten their signature act together.

I then went looking at other companies downloads. These were all signed by the companies that made the program:
  • The iTunes setup program
  • The Adobe Acrobat 6.0x setup program
  • The ArgoSoft Mail Server setup program
  • The AOL Instant Messenger setup program
Many other programs I use (my text editor TextPad, ActivePython, Spybot Search and Destroy—even Snood!) were not signed.

Next page: Open source and signatures.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel